Numinous Forecast
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims, but it can spend from a configured crypto wallet for each forecast and the artifacts do not show a spending cap or per-call confirmation.
Install only if you are comfortable with paid per-call forecasts. Use a dedicated low-balance wallet key, confirm Numinous pricing before use, and avoid allowing the agent to make repeated forecast calls without a budget or confirmation rule.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A forecast request could spend wallet funds automatically once the agent runs the skill, and the reviewed artifacts do not bound the maximum cost.
The code creates a payment payload from the API's 402 response and immediately retries the request with a payment signature. The provided artifacts do not show a spending cap or separate confirmation before paying.
payment_payload = x402_client.create_payment_payload(payment_required)
sig_header_value = encode_payment_signature_header(payment_payload)
paid = client.post(... headers={PAYMENT_SIGNATURE_HEADER: sig_header_value})Use a dedicated low-balance wallet, verify expected per-call prices with Numinous, and prefer an agent or wrapper that asks before paid calls or enforces a maximum spend.
Anyone or anything that can use this key may be able to spend funds from that wallet for supported payment flows.
The skill clearly requires a wallet private key to authorize payments. This is expected for x402 payments, but it is a powerful credential.
`NUMINOUS_X402_EVM_PRIVATE_KEY`: EVM key (0x…) for Base / EVM payments ... Security note: these are **private keys**. Treat them like cash.
Do not use a primary wallet. Create a separate wallet with only the funds you are willing to spend on forecasts, and keep the private key out of chats and logs.
A compromised or incompatible dependency version could affect payment handling or forecast requests.
The setup installs an external package without a pinned version. This is normal for the stated integration, but users inherit trust in the package source and future package versions.
uv pip install "x402[httpx,evm]"
Install from a trusted environment and consider pinning reviewed package versions if using this in a production or high-value wallet context.