Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
alphaear-predictor
v1.0.0Market prediction skill using Kronos. Use when user needs finance market time-series forecasting or news-aware finance market adjustments.
⭐ 0· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (Kronos-based market forecasting) align with the code: many predictor modules, prompt-driving agents, and forecast helpers exist. However the registry metadata declares no required env vars/configs while SKILL.md and the code do require/expect EMBEDDING_MODEL, optional KRONOS_MODEL_PATH and an `exports/models` checkpoint directory. The README expects exports/models at project root while code looks under scripts/predictor/exports/models — a path mismatch. Also the skill declares no install spec but depends on heavy ML libraries (torch, transformers, sentence-transformers), which is disproportionate to being an 'instruction-only' skill in the registry metadata.
Instruction Scope
SKILL.md and prompts instruct the agent to load local model weights, read a .env, and call external 'web_search' / 'fetch_news_content' / 'get_stock_price' tools (prompts mandate calling them). The code uses load_dotenv() and will attempt to download models/tokenizers from Hugging Face if not present locally. Prompts also require strict JSON outputs and instruct agents to fetch live prices/news; this grants the agent broad network and tool usage. The instruction text also tells the operator to place .pt checkpoint files in a directory and trusts weights_only=True but the code contains a fallback to legacy torch.load if safe loading fails — allowing potential code execution via malicious checkpoints.
Install Mechanism
There is no install spec in the registry entry even though the code requires heavy ML packages and model artifacts. The code will attempt network activity: SentenceTransformer and from_pretrained calls (Hugging Face) can download models, and the Kronos tokenizer/model are fetched by name if not cached. The skill will therefore pull sizeable artifacts at runtime (trusted hosts like Hugging Face), and the code also glob-loads local .pt checkpoint files. Lack of an explicit, auditable install step and dependency pinning increases supply-chain risk.
Credentials
Registry metadata lists no required environment variables, yet SKILL.md documents EMBEDDING_MODEL and KRONOS_MODEL_PATH and the code calls load_dotenv() (reading a .env). That inconsistency means the skill may read arbitrary environment variables or secrets from a .env without the user being warned or requiring specific credentials. The prompts direct use of external web search and data-fetching tools (which may themselves require API keys) but no such credentials are declared or constrained.
Persistence & Privilege
The skill is not always-included and does not request special platform privileges. It does not appear to modify other skills or global agent configuration. Note: the skill can be invoked autonomously by the agent (platform default), which increases blast radius if other risks are exploited — combine this with the other flagged issues before enabling autonomous runs.
Scan Findings in Context
[USE_DOTENV] unexpected: The code calls load_dotenv() and SKILL.md references EMBEDDING_MODEL and KRONOS_MODEL_PATH, but the registry lists no required env vars. Reading a .env can expose unrelated secrets; this should be explicitly declared and limited.
[REMOTE_MODEL_DOWNLOAD_HF] expected: The predictor attempts to load SentenceTransformer and model/from_pretrained names, falling back to network downloads from Hugging Face. Remote downloads are expected for an ML forecasting skill, but the registry/README should document this and require trusted network policy.
[TORCH_LOAD_FALLBACK_PICKLE] unexpected: The code attempts torch.load(latest_model, weights_only=True) but falls back to torch.load(latest_model) on failure. Legacy torch.load can deserialize pickled objects and execute code from malicious .pt files. The SKILL.md cautions about trusting checkpoints, but the presence of an unconditional fallback is a real supply-chain/execution risk.
What to consider before installing
What to consider before installing/using this skill:
1. Declare and verify required environment/config: The registry lists no env vars but the code uses EMBEDDING_MODEL and optional KRONOS_MODEL_PATH and also reads a .env file. Ask the publisher to explicitly list required env vars and config paths, and do not place unrelated secrets in the .env used by this skill.
2. Check and pin dependencies and installation: The skill needs torch, transformers, sentence-transformers, etc. There is no install script or pinned versions. Install in a sandboxed environment (container/VM) and pin dependency versions before running.
3. Audit model checkpoints before loading: The skill will load local 'kronos_news_*.pt' files and may fall back to an unsafe torch.load. Only use trusted checkpoints. Prefer removing the legacy torch.load fallback or force weights_only loads and verify files (checksums/signatures) before use.
4. Expect network activity: If local models are missing, the code will download tokenizers/models from Hugging Face. If you require offline operation, pre-populate the expected artifacts and set local-only flags. Be prepared for large downloads and verify host trust.
5. Prompt/tool behavior: The bundled prompts instruct agents to call web_search, fetch_news_content and to retrieve live prices. Confirm what tool integrations are available and whether they require API keys (and where those keys are stored). Do not give the skill access to broad network or production credentials until audited.
6. Path mismatch & repository layout: SKILL.md says exports/models in project root but code looks under scripts/predictor/exports/models — confirm actual expected path to avoid accidentally placing files in the wrong location.
7. Run tests in isolation: Use the included tests (tests/test_predictor.py) in an isolated environment first. Consider a code review of the checkpoint-loading logic and remove unsafe fallbacks.
8. Ask for provenance: The skill has no homepage and unknown source. Prefer skills with a reputable source or request the author/publisher to provide a source repo, dependency lock, and signed model artifacts.
If you cannot verify the model checkpoints or you cannot run the skill in an isolated sandbox, treat it as higher risk and avoid running it with any credentials or on sensitive data.scripts/utils/predictor/evaluation.py:59
Dynamic code execution detected.
scripts/utils/predictor/training.py:308
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk978g84rh0ggv7jyergpk87z0n8403j7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.