ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oraclaw Calibrate

v1.0.0

Prediction quality scoring for AI agents. Brier score, log score, and multi-source convergence analysis. Know if your forecasts are accurate and if your data...

0· 44·0 current·0 all-time
by@whatsonyourmind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (calibration, Brier/log scores, multi-source convergence) align with requiring a single ORACLAW_API_KEY. No unrelated binaries, config paths, or extra credentials are requested — the declared requirements are proportionate to the stated purpose.
!
Instruction Scope
SKILL.md describes 'tools' (score_calibration, score_convergence) and scoring rules but does not specify how to call any external API, what endpoint(s) to use, or what data will be transmitted. That vagueness gives runtime discretion to the agent to make network calls using the provided API key or to send arbitrary data to unknown endpoints. The doc also references pricing and an on-chain payment 'x402' without clarifying billing or telemetry practices.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. This is the lowest-risk install mechanism.
Credentials
Only a single environment variable (ORACLAW_API_KEY) is required and declared as the primary credential. That is consistent with a hosted API-based scoring service. However, an API key can grant data access and billing abilities — the key's scope and privileges should be confirmed before use.
Persistence & Privilege
always:false and no install means the skill does not demand permanent presence or elevated platform privileges. It is user-invocable and may be called autonomously by agents (platform default), which is expected but should be considered together with the vague instruction scope.
What to consider before installing
This skill appears to do what it says (calibration/scoring) and only asks for one API key, but the SKILL.md is vague about where data is sent and how the API key is used. Before installing or providing ORACLAW_API_KEY: (1) Ask the publisher for concrete API endpoints, request/response formats, and a privacy/billing policy; (2) Confirm the API key scope — create a limited-scope or test key if possible and avoid giving production secrets; (3) Test the skill with synthetic or non-sensitive data first; (4) Monitor API usage and billing linked to the key; (5) Be aware of the stated pricing and the on-chain payment reference — understand how charges are applied. If the vendor can't provide clear endpoints and data handling practices, treat the integration with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk9750y7h2qh50hqdtkqhz4mm0n83qcts

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
EnvORACLAW_API_KEY
Primary envORACLAW_API_KEY

Comments