Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Intelligent Demand Forecasting
v1.0.0需求预测,销售预测 + 补货计划。
⭐ 0· 101·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (销售/需求预测与补货计划) matches the SKILL.md feature list. However, the SKILL.md expects a Python/FastAPI application to be installed and run, while the skill metadata declares no required binaries or install steps. Declaring no required binaries (git, python, pip) is inconsistent with the installation instructions.
Instruction Scope
The SKILL.md instructs the user/agent to git clone a GitHub repo, pip install requirements, and run python app.py — which will download and execute remote code and may start a networked service. The instructions do not ask for unrelated files or credentials, but they do direct the agent/user to fetch and run arbitrary code from an external source without checksum or version pinning.
Install Mechanism
There is no formal install spec in the registry entry, but the doc-level install steps use git clone from github.com/openclaw-skills/... and pip install -r requirements.txt. Downloading and executing from an external repo is higher risk than an instruction-only skill; the repo is a known host (GitHub) which reduces some risk, but there's no release/tag or integrity verification specified.
Credentials
The metadata lists no required environment variables or credentials and the instructions do not request secrets. That is proportionate, but the instructions implicitly require access to network, filesystem, and the ability to run Python and pip — these capabilities are not declared in the skill manifest. Running the app may open a network port (FastAPI) which could expose a persistent service.
Persistence & Privilege
The skill is not marked always:true and does not request persistent platform privileges. Still, following the instructions will install and run a persistent service (python app.py) on the host if executed — something the registry metadata does not call out. This increases operational exposure if you install it on production systems.
What to consider before installing
This skill's description aligns with demand-forecasting, but its SKILL.md tells you to clone and run code from a GitHub repo while the skill metadata lists no required binaries or install steps — an inconsistency. Before installing or running it: (1) inspect the GitHub repository and commit history yourself; prefer a tagged release and verify integrity (checksum/signature) if possible; (2) review requirements.txt for suspicious packages or post-install scripts; (3) run the code in an isolated environment (container or VM) and do not run it on production hosts; (4) ensure you have git, python, and pip available and be aware the app may open network ports; (5) if you need the skill to be registry-hosted, ask the publisher to include code or a formal install spec and to declare required binaries and permissions. If you cannot review the external repository, treat the package as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97bbesebwzmfm122ys28z3e0x833f39
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤖 Clawdis