ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

predict-intelligence

v1.0.1

Predict intelligence skill for AI agents. Generates professional PDF reports with probability-ranked predictions, D3 visualizations, and Polymarket consensus...

0· 187·0 current·0 all-time
byAnygen Selected Skill@ken-chy129
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to only need Playwright for PDF conversion, but shipped code and requirements contradict that: scripts/build_report.py imports Jinja2, scripts/fetch_polymarket.py requires requests, and scripts/requirements.txt lists jinja2, requests, staticmap, Pillow, and playwright. The SKILL.md explicitly states 'Jinja2, requests, etc. are NOT required', which is false given the code. This mismatch between stated minimal dependencies and actual required packages is incoherent.
Instruction Scope
Runtime instructions require broad web research (at least 8 web searches), fetching and saving exact article URLs, writing new HTML files from the template, and running local Python scripts. For geopolitical topics the agent is explicitly asked to collect lat/lon and ISO codes for locations. The workflow therefore requires network access, file read/write, and arbitrary URL fetching — expected for this skill but significant from a data-collection perspective. The template and examples load fonts and D3/topojson from CDNs (external network requests during rendering).
!
Install Mechanism
There is no formal install specification (instruction-only), which minimizes scripted install risk, but the repository includes a requirements.txt and Python scripts that will fail if dependencies are not installed. SKILL.md's install guidance only mentions Playwright (pip install playwright && playwright install chromium) and claims other Python packages are unnecessary — this is inaccurate. Absence of an authoritative install step combined with mismatched docs increases the chance an integrator will miss required packages or inadvertently run incomplete setup steps.
Credentials
The skill does not request environment variables, credentials, or config paths. External network calls are limited to public CDNs and documented APIs (Polymarket's gamma-api and optionally worldmonitor.app referenced in docs). No secrets are required by the code as provided, so requested privileges are proportionate to the stated purpose.
Persistence & Privilege
The skill is not always-enabled and does not request elevated agent privileges. It writes files in the working directory (HTML/PDF), runs local scripts, and uses network fetches — expected behavior for a report generator. Nothing indicates it modifies other skills or requests persistent system-wide configuration changes.
What to consider before installing
What to check before installing: - Dependency mismatch: SKILL.md claims only Playwright is needed but the code imports Jinja2 and requests and a requirements.txt lists additional packages. Verify and install all required Python packages (pip install -r scripts/requirements.txt) or run in an isolated environment. - Network activity: the skill performs many web searches, fetches article URLs, queries Polymarket's public API (https://gamma-api.polymarket.com), and loads assets from CDNs (fonts, D3). If you need to prevent outbound network calls, do not grant network access or run in a sandbox. - Chromium download: Playwright install will download Chromium automatically — plan for that disk/network usage. - Data handling: the agent will read/write files (templates, HTML, PDFs) and persist collected URLs and content. Avoid running it where sensitive files or credentials may be exposed; confirm it doesn't access any local paths you want private. - Audit external endpoints: the Polymarket API is public per docs, but review any third-party endpoints (worldmonitor.app references, CDNs) to ensure they are acceptable for your environment. - Testing: run the scripts manually in a disposable environment first (e.g., virtualenv or container), confirm outputs, and inspect generated HTML for any unintended external links or scripts. - If you are uncomfortable with broad web scraping or handling geopolitical content, restrict use or require human review before the agent executes its research steps.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cssa4w1ryzd501kw2mx48j582vac6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments