Prediction Stack Setup
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears aimed at its stated trading-stack setup purpose, but it should be reviewed because it handles financial/API secrets, suggests commands that reveal secrets, and creates persistent background automation.
Use this only if you want persistent automated prediction-market monitoring and you trust the publisher. Before running setup, review the validation script, avoid any troubleshooting command that prints keys or config contents, use revocable/least-privilege credentials where possible, confirm every cron and heartbeat entry, and verify the iMessage delivery target.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Secrets could appear in terminal scrollback, logs, screenshots, or copied diagnostics, which could enable account misuse or API charges if shared.
The troubleshooting steps encourage displaying private-key material and API keys in the terminal while the skill manages Kalshi and Anthropic credentials.
Verify: `cat ~/.openclaw/keys/kalshi-secret.pem | head -5` ... Verify: `echo $ANTHROPIC_API_KEY` (should show your key, not empty)
Do not print secrets. Verify files with existence/permission checks or masked fingerprints, and rotate any key that was displayed or shared.
Background jobs may keep using API keys, consuming credits, reading trading/portfolio data, and sending alerts after setup.
The setup creates persistent scheduled jobs and ambient runtime behavior that continue outside the immediate user request.
- **6 scheduled jobs**: morning brief, evening brief, edge scan, social signal scan, drift monitor, arbitrage scan - **Heartbeat config**: 30-minute ambient awareness during waking hours
Before enabling, inspect the exact cron and heartbeat entries, confirm each schedule, and make sure there is a clear disable or uninstall procedure.
Misconfigured delivery targets or unsecured BlueBubbles setup could expose trading alerts or portfolio-related information to the wrong place.
The skill routes alert content through a messaging bridge. This is purpose-aligned, but the recipient and message contents matter.
- **iMessage delivery**: All alerts route to your phone via BlueBubbles
Verify the destination before enabling alerts, send a harmless test message first, and secure the BlueBubbles service.
Users have less provenance information to decide whether to trust the publisher and code.
The registry metadata does not provide a clear source or homepage for a skill that handles credentials and creates background jobs.
Source: unknown; Homepage: none
Install only if you trust the publisher, and review the included files and referenced stack repository before providing credentials.
Running the helper can create or read OpenClaw config files and make validation requests to configured providers.
The skill asks the user to run a local Python helper. This is expected for API validation, but it is still local code execution that reads config and contacts provider APIs.
Run the validation script: `python ~/skills/prediction-stack-setup/scripts/validate_setup.py`
Review the script and requirements before running it, and run it only from the installed skill directory you intended to use.