Superwise Drift Detection Skill
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the deployed endpoint is publicly reachable, someone who discovers the URL may be able to repeatedly trigger checks, cause extra Superwise ingestion/evaluations, and generate Telegram alerts.
This documents a web trigger for the drift check. The provided artifacts do not show authentication or origin validation for an endpoint that can fetch inference records, ingest them into Superwise, trigger policy evaluations, and send Telegram alerts.
"webhook_url": "${RENDER_APP_URL}/run-check", "method": "GET"Require a shared secret or signed header, restrict callers to OpenClaw, add rate limiting, and prefer an authenticated POST endpoint for side-effecting actions.
The skill can create/read Superwise monitoring resources, upload model data, and send Telegram notifications using the configured accounts.
The skill requires Superwise account credentials and Telegram bot/chat identifiers. This is expected for the stated integration, but it grants access to third-party account and messaging capabilities.
Credentials required in .env: SUPERWISE_CLIENT_ID, SUPERWISE_SECRET_TOKEN, ... TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID
Use scoped and revocable credentials where possible, store them as environment variables rather than chat text, and rotate them if the deployment is shared or exposed.
Running setup can create new Superwise resources and upload feature data from the chosen CSV.
The setup flow creates Superwise datasets and uploads the user-selected training CSV. These are intended side effects for drift monitoring, but they mutate a third-party account.
training_ds = sw.dataset.create(name=training_name, schema=schema) ... result = ingester.ingest_csv(csv_path=args.training_csv, dataset_id=training_ds.id, dataset_name=training_ds.name, key_col=args.key_col)
Review the CSV contents before upload, avoid sensitive columns unless intended, confirm dataset names, and use a test Superwise workspace for trial runs.
The service may continue fetching inference data, uploading records, evaluating policies, and sending alerts on the configured schedule until it is stopped.
The skill intentionally supports recurring scheduled checks through a deployed service. This is disclosed and aligned with monitoring, but it creates ongoing automated behavior.
Schedule: `0 6 * * *` ... deploy `scheduler.py` to Render using the included `render.yaml`
Set the schedule deliberately, document how to disable the Render service and OpenClaw trigger, and monitor usage/costs.
A future install may pull newer dependency versions with different behavior or newly introduced vulnerabilities.
The dependency list does not pin versions. The install step is expected for this Python skill, but unpinned packages can change behavior between installs.
superwise-api requests pandas python-dotenv flask apscheduler
Pin dependency versions or use a lockfile for production deployment.