ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Power Oracle

v1.0.0

Use when the user wants Power Oracle to compute workout work or power from structured or shorthand workout details. Do not use for coaching or general fitnes...

0· 63·0 current·0 all-time
byWork Capacity@workcapacity-io
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions consistently describe using the external Power Oracle HTTP API (GET discovery endpoints, GET /v1/movements, POST /v1/compute-power) to compute work/power. No unrelated binaries, env vars, or install steps are requested; required behavior aligns with the stated purpose.
Instruction Scope
Instructions are narrowly scoped to building and validating API payloads, discovering movements, and calling the documented endpoints. However, the docs require building an 'x402 proof' and retrying with PAYMENT-SIGNATURE after a 402 response but give no implementation detail and explicitly forbid inspecting local files, secrets, or wallet state as a workaround. That creates an operational ambiguity: producing a payment proof often requires signing with credentials or a wallet, yet no credentials or mechanism are specified.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes disk-write and install risks; there are no external download URLs or package installs to review.
Credentials
The skill declares no required environment variables, credentials, or config paths — proportional for an API-integration instruction-only skill. The only proportionality concern is the implicit need to produce x402 payment proofs: the skill neither requests payment credentials nor documents how platform payments are expected to be provided, which is an unexplained gap.
Persistence & Privilege
The skill is user-invocable, not always-enabled, and does not request elevated platform privileges or modify other skills. Autonomous invocation is allowed but is the platform default; there are no extra persistence or privilege requests.
What to consider before installing
This skill appears to do what it says (call the Power Oracle API to compute work/power) and is low-risk in terms of installs or secret requests. Before installing, clarify how x402 payments are meant to be produced: who signs PAYMENT-SIGNATUREs and where the signing keys live. Ask the publisher or platform whether payments are handled by the host (so the agent never needs user keys) or whether you'll need to provide payment credentials separately. Confirm you’re comfortable sending workout and basic user data (height, mass, dates) to https://api.workcapacity.io and review the service's privacy/costing documentation (GET /v1/payment-requirements). If payment signing requires wallet/private-key access, do not proceed until you understand where those secrets are stored and how they’re used.

Like a lobster shell, security has layers — review code before you run it.

2026.04.10.1vk97aswtgsdk1haggbqaasgwer984ms55latestvk97aswtgsdk1haggbqaasgwer984ms55

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments