Back to skill
Skillv1.0.0
ClawScan security
Predict · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 10, 2026, 6:42 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill claims to do full forecasting and scenario modelling but the package only includes a minimal script that doesn't consume input data and many referenced scripts/files are missing — the behavior does not match the promises.
- Guidance
- Do not assume this skill will perform the complex forecasting the description promises. What you have is a minimal script that prints template guidance and appends a short forecast record to ~/.openclaw/workspace/memory/predict/forecasts.json. Before installing or running: (1) Ask the author for the missing scripts (generate_scenarios.py, assess_risk.py, evaluate_probability.py, references/*) or a corrected SKILL.md; (2) Inspect those scripts to confirm they actually read and process data and do not contact external endpoints; (3) If you must run it, do so in a sandboxed environment and back up/monitor the ~/.openclaw/workspace/memory/predict directory to avoid unexpected file writes; (4) Prefer an updated package where declared capabilities match included code. If the author supplies the missing files and they perform as advertised (no unexpected network calls, proper data handling), this assessment could change to benign.
Review Dimensions
- Purpose & Capability
- concernThe skill's name and description promise forecasting, model building, scenario generation, probability evaluation, and accuracy tracking. The bundle only includes one simple script (forecast_trend.py) that prints a static forecasting framework and saves a short metadata record; it does not build models or read input data. SKILL.md references many other scripts and reference files that are not present, which is inconsistent with the stated capabilities.
- Instruction Scope
- concernSKILL.md instructs running multiple scripts (generate_scenarios.py, assess_risk.py, evaluate_probability.py, etc.) and passing data files (e.g., --data "historical.csv"), but those scripts are absent and forecast_trend.py doesn't accept a --data argument or read data. The instructions therefore overreach the actual runtime behavior and would likely produce runtime errors or silently do less than promised.
- Install Mechanism
- okNo install specification or external downloads are included (instruction-only with one script). This minimizes supply-chain risk; nothing is fetched or executed from remote URLs during install.
- Credentials
- okThe skill requests no environment variables or credentials. The included script writes to a local path (~/.openclaw/workspace/memory/predict), which aligns with SKILL.md's claim that prediction data is stored locally, though SKILL.md earlier referenced memory/predict/ (path mismatch is minor but noted).
- Persistence & Privilege
- noteThe skill does not request permanent/always inclusion and does not require extra privileges. It will create a directory and write forecasts.json under the user's home workspace (~/.openclaw/workspace/memory/predict), so expect persistent local storage of generated forecast records.