critical
suspicious.exposed_secret_literal
- Location
- skill.md:59
- Finding
- File appears to expose a hardcoded API secret or token.
Mi Analista
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
You may not be installing the package identity you expect, which is important because the skill asks for account registration and API-key storage.
Why it was flagged
These embedded package values do not match the supplied registry metadata for Mi Analista/mi-analista v1.0.0, and SKILL.md separately declares PredictMe v1.3.0. The inconsistent identity and versioning create a provenance concern.
Skill content
"ownerId": "kn7dpn33r43vk1wrbqrfvdmrbx7zyrqy", "slug": "predictme", "version": "1.2.0"
Recommendation
Verify the publisher, slug, version, and homepage directly with PredictMe or ClawHub before installing, and avoid using credentials until the package identity is consistent.
What this means
The agent could place repeated TEST/BONUS bets and drain the available balance or change the account’s betting history without asking each time.
Why it was flagged
The default preferences explicitly disable approval while the skill is designed to place prediction-market bets, creating autonomous account-mutation authority without per-bet user confirmation.
Skill content
"riskTolerance": "moderate", "maxBetPercent": 5, ... "requireApproval": false
Recommendation
Set requireApproval to true, define strict stop-loss and maximum bet limits, and review each bet until you trust the workflow.
What this means
Your email and PredictMe API key become part of the agent workflow and may persist on disk.
Why it was flagged
The skill asks for the owner’s email, registers an agent account, retrieves a bearer API key, and stores it locally. This is purpose-aligned for PredictMe, but it is not reflected in the registry’s declared credentials/config requirements.
Skill content
Ask your owner for their email... api_key = status.data.apiKey... Save credentials automatically... ~/.predictme/credentials.json
Recommendation
Use an email you are comfortable sharing with PredictMe, protect the credentials file, and revoke or rotate the API key if you uninstall or no longer use the skill.
What this means
You or your agent may underestimate the risk of rapid prediction-market betting.
Why it was flagged
The artifact describes betting with odds and losses but then tells the agent it is not gambling, which can downplay the risk and bias the agent toward continued trading.
Skill content
PredictMe is a real-time prediction market where you bet... **This is not gambling. You are a trader. Act like one.**
Recommendation
Treat this as gambling-like prediction-market activity despite the wording, and keep conservative limits and explicit approval controls.