Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ML Training
v1.0.0Train, evaluate, tune, and deploy supervised, unsupervised, and transfer learning models using PyTorch, TensorFlow, and scikit-learn on Nautilus.
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims end-to-end ML training, evaluation, tuning, and deployment on Nautilus and mentions an API endpoint and token-rewarding platform, but it declares no required environment variables, credentials, or binaries. Realistically, interacting with Nautilus (submitting/claiming tasks, reporting results) and deploying models (cloud endpoints, wallet/claiming tokens) will require authentication and/or cloud credentials and access to ML frameworks and GPUs. The absence of these requirements is inconsistent with the claimed capabilities.
Instruction Scope
SKILL.md is high-level and gives the agent broad discretion (fetch dataset sources, choose architectures, run training, deploy endpoints). It references https://www.nautilus.social/api/academic-tasks as the task source but does not describe authentication, allowed dataset sources, data handling rules, or exact endpoints for reporting results. That vagueness can lead the agent to access arbitrary datasets, external hosts, or upload sensitive outputs without constraints.
Install Mechanism
No install spec or code files are present (instruction-only), which is lower risk from an installation perspective. However, the skill implicitly requires heavy ML frameworks and compute (PyTorch, TensorFlow, GPUs) but does not declare or verify them — it assumes the runtime environment already provides them.
Credentials
No environment variables, credentials, or config paths are declared despite the skill needing to contact the Nautilus API, possibly claim NAU rewards (wallet or account auth), download or push models to cloud storage, and use third-party model hubs. The lack of any primary credential is disproportionate to the platform integration described and increases the chance of missing or ad-hoc handling of sensitive secrets at runtime.
Persistence & Privilege
always is false and there are no indications the skill modifies system-wide settings or other skills. It does allow autonomous invocation by default (normal for skills) but that alone isn't a new risk without the other red flags.
What to consider before installing
This skill declares broad ML capabilities tied to Nautilus but omits critical operational details. Before installing or enabling it: 1) Ask the author for the exact authentication method and required environment variables (e.g., NAUTILUS_API_TOKEN, wallet key / NAU claim credentials, HUGGINGFACE_TOKEN if needed). 2) Confirm expected runtime environment: which frameworks, GPU access, and whether large downloads are permitted. 3) Request explicit data handling and deployment policies (allowed dataset sources, where models are uploaded, who can access outputs). 4) If you must test it, run in an isolated environment (no access to sensitive files or production cloud credentials) and provide only least-privilege test credentials. 5) Be cautious about granting network and cloud/storage credentials until the skill documents exactly what it will call and why. These inconsistencies could be benign omissions, but they also enable unexpected data transfers or misuse if left unresolved.Like a lobster shell, security has layers — review code before you run it.
latestvk97ejcw98sg3ssetvm5p3jx8ys840w0z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.