ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oraclaw Decide

v1.0.0

Decision intelligence for AI agents. Analyze options, map decision dependencies with PageRank, detect when information sources conflict, and find the choices...

0· 47·0 current·0 all-time
by@whatsonyourmind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description and pricing imply an external SaaS (paid per call) which reasonably could require ORACLAW_API_KEY. However, the SKILL.md provides no network endpoints, API call examples, or instructions that reference the API key. Requiring a key without documenting its use is inconsistent.
!
Instruction Scope
SKILL.md is an instruction-only spec describing capabilities and input formats but contains no explicit runtime steps for calling an external API, nor any guidance on using ORACLAW_API_KEY. That omission grants the agent broad discretion (e.g., to contact unknown endpoints) without transparency about what data would be sent.
Install Mechanism
No install spec or code files are present (instruction-only). This minimizes disk-write risks — there is nothing being downloaded or installed by the skill itself.
!
Credentials
Only one credential (ORACLAW_API_KEY) is requested, which is proportionate if the skill calls an external Oraclaw API. But the SKILL.md never references that variable or shows authentication flows. The pricing/payment note further implies external billing. Requesting a secret without documenting its scope, endpoints, or what data is transmitted is a red flag.
Persistence & Privilege
always is false and the skill is not granted forced persistent presence. It does allow normal autonomous invocation (platform default), which is expected — no extra privileges are requested.
What to consider before installing
This skill appears to be a front-end for a paid decision-making API, but the runtime instructions don't say how the API key is used or where requests are sent. Before installing or providing ORACLAW_API_KEY you should: 1) Ask the publisher for API endpoint URLs, example requests/responses, and a privacy policy showing what user data is transmitted and stored. 2) Verify the homepage and publisher reputation and confirm payment details (the SKILL.md mentions $0.05/analysis). 3) If you test it, use a least-privilege or expendable API key and only run non-sensitive data. 4) Prefer to see explicit SKILL.md examples that show where the key is read and how authentication happens; absence of that detail is the core incoherence here. If the maintainer cannot provide clear documentation, treat the skill as risky to give credentials to.

Like a lobster shell, security has layers — review code before you run it.

latestvk9765fge86q095xjnvee0wgm4n83qwjs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎯 Clawdis
EnvORACLAW_API_KEY
Primary envORACLAW_API_KEY

Comments