ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oraclaw Risk

v1.0.0

Risk assessment engine for AI agents. Value at Risk (VaR), CVaR, stress testing, and multi-factor risk scoring. Monte Carlo powered. Built for trading agents...

0· 43·0 current·0 all-time
by@whatsonyourmind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description promise (Monte Carlo/Bayesian risk engine) is plausible for a risk skill, but the declared primary credential ORACLAW_API_KEY has no usage or justification in SKILL.md. Either the skill calls an external Oraclaw API (not documented) or the env var is unnecessary; this inconsistency undermines trust.
Instruction Scope
SKILL.md contains well-scoped guidance for computing VaR/CVaR, stress tests, and example input. It does not direct the agent to read files, secrets, or run system commands. However, it also omits any runtime instruction about network calls, API endpoints, or how/when to use ORACLAW_API_KEY—creating ambiguity about execution location (local vs remote).
Install Mechanism
No install spec and no code files are present, so nothing is written to disk or automatically installed. This is low-risk from an installation perspective.
!
Credentials
requires.env lists a single credential ORACLAW_API_KEY as primary, but SKILL.md never references it. Requesting an API key without documenting its use is disproportionate. Also, pricing/payment details (USDC on Base via 'x402') are incomplete and unexplained.
Persistence & Privilege
always is false and the skill is user-invocable only. It does not request permission to remain permanently enabled or modify other skills; no elevated persistence is requested.
What to consider before installing
This skill describes a Monte Carlo/Bayesian risk engine but declares an ORACLAW_API_KEY without telling you how it will be used. Before installing or supplying any API key: 1) Ask the publisher to explicitly document runtime behavior — does the agent call https://oraclaw.dev or another endpoint? Provide full API endpoints and examples of requests that use ORACLAW_API_KEY. 2) Verify the pricing/payment mechanism and full payment address; 'x402' is not a complete address. 3) If an external API call is required, request that the skill document what data is sent to the remote service and how results are returned. 4) If you must provide a key, use a scoped, revocable key with minimal permissions and monitor its usage; rotate it after testing. 5) Prefer not to install or provide secrets until the developer supplies clear runtime/endpoint details or ships code showing local-only computation. If the developer updates SKILL.md to either remove the API key requirement (if computation is local) or to clearly document API endpoints and the exact use of ORACLAW_API_KEY, this assessment could be revised to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bngz1n94xx1f0629y0qznf183pxny

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⚠️ Clawdis
EnvORACLAW_API_KEY
Primary envORACLAW_API_KEY

Comments