Numinous Forecast
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: numinous-forecast Version: 1.0.3 The skill is designed to interact with the Numinous forecasting API, which requires payments via the x402 protocol using EVM or Solana private keys. The `SKILL.md` clearly documents the need for `NUMINOUS_X402_EVM_PRIVATE_KEY` (and optionally SVM) and provides a security warning about handling private keys. The Python code (`numinous_api.py`) reads these keys from environment variables and uses them solely for cryptographic signing within the `x402` payment library for calls to `https://api.numinouslabs.io`. There is no evidence of data exfiltration, unauthorized command execution, persistence mechanisms, or prompt injection attempts against the agent in any of the files. The handling of private keys is a necessary and documented part of the skill's functionality, not indicative of malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A forecast request could spend wallet funds automatically once the agent runs the skill, and the reviewed artifacts do not bound the maximum cost.
The code creates a payment payload from the API's 402 response and immediately retries the request with a payment signature. The provided artifacts do not show a spending cap or separate confirmation before paying.
payment_payload = x402_client.create_payment_payload(payment_required)
sig_header_value = encode_payment_signature_header(payment_payload)
paid = client.post(... headers={PAYMENT_SIGNATURE_HEADER: sig_header_value})Use a dedicated low-balance wallet, verify expected per-call prices with Numinous, and prefer an agent or wrapper that asks before paid calls or enforces a maximum spend.
Anyone or anything that can use this key may be able to spend funds from that wallet for supported payment flows.
The skill clearly requires a wallet private key to authorize payments. This is expected for x402 payments, but it is a powerful credential.
`NUMINOUS_X402_EVM_PRIVATE_KEY`: EVM key (0x…) for Base / EVM payments ... Security note: these are **private keys**. Treat them like cash.
Do not use a primary wallet. Create a separate wallet with only the funds you are willing to spend on forecasts, and keep the private key out of chats and logs.
A compromised or incompatible dependency version could affect payment handling or forecast requests.
The setup installs an external package without a pinned version. This is normal for the stated integration, but users inherit trust in the package source and future package versions.
uv pip install "x402[httpx,evm]"
Install from a trusted environment and consider pinning reviewed package versions if using this in a production or high-value wallet context.