Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
GAIN
v1.0.1Predict rice agronomic traits (yield, plant height, heading date, grain size, etc.) from genotype and environmental data using pre-trained MMoE deep learning...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (predict rice traits from genotype+environment) matches the provided files (VAE features, env caches, grid points, env processing, model definitions, prediction CLI). Required binaries/env are minimal and consistent with the stated purpose.
Instruction Scope
SKILL.md and scripts instruct the agent to load local data, optionally fetch weather from NASA POWER (https://power.larc.nasa.gov), cache responses under data/env_cache, process environmental features, and load model checkpoints to produce predictions. These actions are within scope, but the code uses torch.load() to load .pt checkpoints (model files), which can execute arbitrary code during unpickling if checkpoints are untrusted—this is expected for model-based skills but is a security consideration.
Install Mechanism
No install spec is declared (instruction-only), but the skill package contains code and data files. The skill relies on pip-installable Python packages listed in requirements.txt; there are no downloads from untrusted URLs or URL shorteners. The runtime will write cached NASA POWER CSVs into the skill's data/env_cache directory.
Credentials
The skill does not request environment variables, secrets, or unrelated credentials. Network access is used only to call the NASA POWER API (documented). File access is limited to files within the skill directory and any user-specified genotype CSV; this is proportionate to the stated functionality.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It will create cache files under its own data/env_cache directory to store fetched weather data, which is expected behaviour.
Assessment
This skill appears to do what it says: predict rice traits from genotype and environment. Before installing/use, consider: (1) Model checkpoints (.pt) are loaded with torch.load — ensure any .pt files packaged with or later added to this skill come from a trusted source because malicious checkpoints can execute code when unpickled. (2) The skill will call NASA POWER (power.larc.nasa.gov) if internet is available and will cache responses under data/env_cache in the skill folder; if you need to limit network access, run offline or provide local CSVs. (3) The included check_env.py references model files under data/models_* which are not listed in the manifest you provided — prediction will fail unless model checkpoints are present; verify where the model files originate. (4) Run the provided check_env.py in a sandbox or review the model files before running predict.py; inspect large .pt files or obtain them from the original author/repository. (5) If you allow users to pass a genotype_file path, be careful that the CLI will read that file; do not point it at sensitive system files. If you want higher assurance, request the upstream model artifacts or their provenance and validate them (or run inference in an isolated environment).scripts/predict.py:88
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9765a05wm01n7pw4c08hvwgcn83x397
License
MIT-0
Free to use, modify, and redistribute. No attribution required.