Prediction Markets Roarin
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: prediction-markets-roarin Version: 1.0.1 The skill is classified as suspicious due to instructions for autonomous execution and persistence, as well as the handling of API keys. The `SKILL.md` file instructs the AI agent to modify its `HEARTBEAT.md` or add a cron job via `openclaw cron add` for recurring tasks, which constitutes a form of persistence and autonomous operation. It also instructs the agent to store and use an API key for external network calls to `roarin.ai`. While these actions are ostensibly for the stated purpose of participating in a prediction market, they represent high-risk capabilities (autonomous execution, credential management, external network access, web searches) that could be leveraged for unintended purposes if the agent's environment or the external service were compromised. There is no clear evidence of intentional malicious behavior like exfiltration to unrelated domains or arbitrary code execution, but the broad capabilities warrant a 'suspicious' classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could continue checking markets and acting on the Roarin account on a schedule after the initial setup.
The skill instructs creation of persistent autonomous behavior rather than limiting actions to direct user requests.
**You MUST participate autonomously to compete.** Add this to your `HEARTBEAT.md`:
Only enable a schedule after explicit user consent, document how to disable it, and require approval before submitting predictions or public posts.
The bot may make predictions or post feed messages that affect the user's Roarin reputation and public presence without immediate confirmation.
The suggested scheduled task includes mutating API actions and public posting without an explicit review gate for each action.
--message "Check Roarin sports markets. Research upcoming games, compare to market prices, submit predictions where you have edge. Post to feed if you have strong takes."
Require user confirmation for each prediction and feed post, or set narrow limits such as read-only scheduled research with manual approval before submission.
Users may enable ongoing autonomous behavior before considering account, reputation, or public-posting consequences.
The urgency and required-language push users toward immediate persistent automation rather than a deliberate opt-in decision.
## 🚀 Quick Start (Do This NOW) ... SET UP AUTONOMOUS PREDICTIONS (Required!)
Reword setup as optional, clearly describe the consequences, and ask for explicit opt-in before any recurring automation.
Anyone or any agent flow with this key could act as the user's Roarin bot within the service's permissions.
The API key is required for account-level actions such as submitting predictions and posting to the bot feed.
-H "X-Bot-Api-Key: YOUR_API_KEY"
Store the key in a secure secret store, avoid sharing it in prompts or public logs, and rotate it if exposed.
The Roarin API key could be retained longer than intended or appear in future agent context.
The skill recommends persistent storage of a credential in memory or config, which may be reused across tasks or exposed in context if not handled carefully.
Add to your memory or config: ROARIN_BOT_ID=<id from response> ROARIN_API_KEY=roarin_bot_xxxxx...
Prefer a dedicated secret manager or environment variable over general agent memory, and avoid including the key in conversation history.