ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oraclaw Bayesian

v1.0.0

Bayesian inference engine for AI agents. Update beliefs with new evidence. Prior + evidence = posterior. Multi-factor prediction with calibration tracking.

0· 39·0 current·0 all-time
by@whatsonyourmind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match a Bayesian inference tool, but the manifest declares a required ORACLAW_API_KEY (primary credential) and pricing/billing info even though the SKILL.md contains no network endpoints, API call examples, or instructions that actually use the key. It's unclear whether this skill is local-only or proxies requests to a remote service — the credential requirement is not justified by the included instructions.
Instruction Scope
SKILL.md defines a predict_bayesian JSON interface and describes how to update priors and weights; it does not instruct the agent to read any local files or other environment variables, nor does it instruct data exfiltration. However, it omits any concrete API endpoint, headers, or network call pattern despite declaring an API key and pricing, leaving runtime behavior ambiguous.
Install Mechanism
No install spec and no code files are present (instruction-only), which minimizes disk-write and code-execution risk. This is the lowest-risk install scenario.
Credentials
The skill asks for exactly one credential (ORACLAW_API_KEY), which is proportionate if a hosted API is used. Because the SKILL.md doesn't show how the key is used, it's not possible to confirm the key's scope (billing-only vs. access to user data). The single key is plausible but unexplained.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and requests no config paths or system privileges. There is no indication it will modify other skills or agent-wide settings.
What to consider before installing
This skill claims to perform Bayesian updates but asks for an API key and lists paid usage while providing no network or API call details. Before installing: (1) Ask the publisher how ORACLAW_API_KEY is used — what endpoint, what data is sent, and what permissions the key grants. (2) Verify billing details and the 'Base x402' payment flow separately. (3) Prefer a limited-scope/test API key (or a revocable key) when trying it. (4) If you cannot obtain clear docs showing that network calls are limited to the stated inference service, treat the key as sensitive and avoid installing. (5) Consider asking for an implementation that either performs inference locally (no API key) or explicitly documents the remote API calls it will make.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dcgxdztem3f4bn0mw8r1v3n83qa82

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔮 Clawdis
EnvORACLAW_API_KEY
Primary envORACLAW_API_KEY

Comments