ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oraclaw Forecast

v1.0.0

Time series forecasting for AI agents. ARIMA and Holt-Winters predictions with confidence intervals. Predict revenue, traffic, prices, or any sequential data...

0· 43·0 current·0 all-time
by@whatsonyourmind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (time-series forecasting) matches the single required credential (ORACLAW_API_KEY) if the skill calls an external Oraclaw API. However, the SKILL.md contains only an in-agent tool signature for predict_forecast and no network endpoints, authentication flow, or examples showing the API key being used. That mismatch (requiring a secret but not describing its use) is unexpected and warrants clarification.
!
Instruction Scope
The instructions describe inputs/outputs and forecasting rules but do not instruct the agent to call any external API or use the ORACLAW_API_KEY environment variable. They also do not indicate how user data is transmitted or billed. The scope is narrowly focused on forecasting logic, but the omission of networking/auth steps is an incoherence risk (either the skill is purely local and doesn't need the key, or it is external and the docs are incomplete).
Install Mechanism
No install specification and no code files are present, so nothing is written to disk and there is no installer risk. This is the lowest-risk install vector.
Credentials
Only one environment variable (ORACLAW_API_KEY) is required, which is proportionate for an API-backed forecasting service. However, the SKILL.md never references the variable or shows how it would be used, so the justification for requesting the secret is missing.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent inclusion or elevated platform privileges. Autonomous invocation is allowed by default (disable-model-invocation is false), which is normal but should be considered alongside other risks.
What to consider before installing
This skill looks plausible for forecasting, but there is a key inconsistency: it requires ORACLAW_API_KEY yet the runtime instructions do not show any network calls, endpoints, or how the key is used. Before installing or providing secrets: 1) Ask the maintainer for concrete API docs or sample requests (endpoint URL, authentication header format, example cURL). 2) Verify the billing details and how data are transmitted/stored (privacy policy, terms, and whether data are sent to oraclaw.dev or another host). 3) Confirm the homepage and owner identity (who runs oraclaw.dev). 4) Avoid inserting your production API key until you can test with a throwaway key and observe calls. 5) If the skill is intended to run locally without network access, request an updated SKILL.md that removes the ORACLAW_API_KEY requirement. Providing those clarifications would increase confidence and could change this assessment to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aemh389n2azb1tkasvj5bdh83prsj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
EnvORACLAW_API_KEY
Primary envORACLAW_API_KEY

Comments