Nordpool Fi

PassAudited by ClawScan on May 1, 2026.

Overview

The skill appears benign: it fetches public Finnish electricity price data and computes charging windows, with only an external API call, minor provenance metadata inconsistency, and possible daylight-saving-time accuracy issue to notice.

This looks safe for normal use: it fetches public electricity prices and prints JSON. Before relying on it for EV charging, confirm the Finland daylight-saving-time handling, and be aware it makes an outbound request to Porssisahko.net; no credentials, file access, persistence, or account changes are evident.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI09: Human-Agent Trust Exploitation

What this means

Charging windows or current-hour labels may be off by one hour during daylight-saving time.

Why it was flagged

The code acknowledges Finland uses UTC+3 in summer but always converts with UTC+2, while the skill says it handles Finland time. This is an output-reliability note rather than evidence of malicious behavior.

Skill content

# Finland: UTC+2 (Winter), UTC+3 (Summer)
    return dt.astimezone(timezone(timedelta(hours=2)))

Recommendation

Verify daylight-saving/time-zone behavior before relying on the schedule; if maintaining the skill, use a timezone database such as Europe/Helsinki.

Info

#ASI07: Insecure Inter-Agent Communication

What this means

The API provider may see a request from the user's environment, but no sensitive user data transmission is evident in the artifacts.

Why it was flagged

The observed network flow is an outbound request to the disclosed public price API. The artifacts do not show local files, credentials, or user content being sent.

Skill content

url = "https://api.porssisahko.net/v2/latest-prices.json"

Recommendation

Use the skill if you are comfortable with this external API request; review any future changes that add parameters, credentials, or local-data transmission.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less registry-level assurance about origin/version, though the included behavior is reviewable from the provided files.

Why it was flagged

Registry provenance fields are limited, and package.json separately lists version 1.0.4 with a GitHub homepage. This is a provenance note because the included code is simple and has no install scripts or dependencies.

Skill content

Source: unknown; Homepage: none; Version: 1.0.5

Recommendation

Verify the package source and version manually if provenance matters for your environment.