Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
Prediction Markets Roarin
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is purpose-related to Roarin predictions, but it pressures users to set up a recurring autonomous bot that can make predictions and public feed posts with an API key.
Install or use this only if you are comfortable giving the agent a Roarin bot API key and potentially enabling scheduled autonomous predictions. Keep the key in a secure secret store, do not put it in general memory if avoidable, and do not enable the cron/heartbeat workflow unless you want the agent to keep acting on your Roarin account without prompting each time.
Static analysis
VirusTotal
60/60 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI10: Rogue Agents
Medium
What this means
The agent could continue checking markets and acting on the Roarin account on a schedule after the initial setup.
Why it was flagged
The skill instructs creation of persistent autonomous behavior rather than limiting actions to direct user requests.
Skill content
**You MUST participate autonomously to compete.** Add this to your `HEARTBEAT.md`:
Recommendation
Only enable a schedule after explicit user consent, document how to disable it, and require approval before submitting predictions or public posts.
#
ASI02: Tool Misuse and Exploitation
Medium
What this means
The bot may make predictions or post feed messages that affect the user's Roarin reputation and public presence without immediate confirmation.
Why it was flagged
The suggested scheduled task includes mutating API actions and public posting without an explicit review gate for each action.
Skill content
--message "Check Roarin sports markets. Research upcoming games, compare to market prices, submit predictions where you have edge. Post to feed if you have strong takes."
Recommendation
Require user confirmation for each prediction and feed post, or set narrow limits such as read-only scheduled research with manual approval before submission.
#
ASI09: Human-Agent Trust Exploitation
Low
What this means
Users may enable ongoing autonomous behavior before considering account, reputation, or public-posting consequences.
Why it was flagged
The urgency and required-language push users toward immediate persistent automation rather than a deliberate opt-in decision.
Skill content
## 🚀 Quick Start (Do This NOW) ... SET UP AUTONOMOUS PREDICTIONS (Required!)
Recommendation
Reword setup as optional, clearly describe the consequences, and ask for explicit opt-in before any recurring automation.
#
ASI03: Identity and Privilege Abuse
Low
What this means
Anyone or any agent flow with this key could act as the user's Roarin bot within the service's permissions.
Why it was flagged
The API key is required for account-level actions such as submitting predictions and posting to the bot feed.
Skill content
-H "X-Bot-Api-Key: YOUR_API_KEY"
Recommendation
Store the key in a secure secret store, avoid sharing it in prompts or public logs, and rotate it if exposed.
#
ASI06: Memory and Context Poisoning
Low
What this means
The Roarin API key could be retained longer than intended or appear in future agent context.
Why it was flagged
The skill recommends persistent storage of a credential in memory or config, which may be reused across tasks or exposed in context if not handled carefully.
Skill content
Add to your memory or config: ROARIN_BOT_ID=<id from response> ROARIN_API_KEY=roarin_bot_xxxxx...
Recommendation
Prefer a dedicated secret manager or environment variable over general agent memory, and avoid including the key in conversation history.