ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oraclaw Evolve

v1.0.0

Genetic Algorithm optimizer for AI agents. Multi-objective Pareto optimization for portfolio weights, pricing, hyperparameters, marketing mix — any problem w...

0· 45·0 current·0 all-time
by@whatsonyourmind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and the optimize_evolve config align with a GA optimization tool. Requesting an ORACLAW_API_KEY could be reasonable if the skill calls an external Oraclaw service, but SKILL.md contains no instructions or endpoint showing where or how the API key is used.
Instruction Scope
The runtime instructions only define optimizer parameters, rules, and expected return values — they do not instruct reading unrelated files, environment variables, or secrets beyond the declared ORACLAW_API_KEY. There is no instruction to transmit extra local data.
Install Mechanism
Instruction-only skill with no install spec or code files. This minimizes on-disk risk; nothing is downloaded or written by the skill itself.
Credentials
Only a single credential (ORACLAW_API_KEY) is required, which is proportionate if the skill calls an external API. However, SKILL.md does not document any network endpoints, API surface, or how the key is used. The manifest also advertises paid pricing in USDC on Base (x402) — payment-related details are present but the skill does not request any payment credentials or explain billing or data-economics.
Persistence & Privilege
The skill does not request always:true and does not claim to persist or modify other skills or system settings. Default autonomous invocation is allowed (platform normal).
What to consider before installing
This skill generally looks like a genetic-algorithm optimizer, but there are gaps you should resolve before installing or providing credentials: 1) Ask the publisher how the ORACLAW_API_KEY is used — what endpoint/host does the agent call, what data is sent, and what permissions the API key grants? 2) Confirm billing: the SKILL.md lists a USDC/Base payment model — who charges this, how are payments triggered, and does the agent ever require wallet keys? 3) Prefer issuing a scoped, revocable API key with minimal permissions and set expiration/monitoring if you test the skill. 4) If you need to run privately sensitive data through optimizations, verify the service's data retention and privacy policy. If the publisher cannot clearly explain the API usage and billing flow, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk978xxwps988na35vgvzkf0weh83q5s6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧬 Clawdis
EnvORACLAW_API_KEY
Primary envORACLAW_API_KEY

Comments