Prediction Stack Setup
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Secrets could appear in terminal scrollback, logs, screenshots, or copied diagnostics, which could enable account misuse or API charges if shared.
The troubleshooting steps encourage displaying private-key material and API keys in the terminal while the skill manages Kalshi and Anthropic credentials.
Verify: `cat ~/.openclaw/keys/kalshi-secret.pem | head -5` ... Verify: `echo $ANTHROPIC_API_KEY` (should show your key, not empty)
Do not print secrets. Verify files with existence/permission checks or masked fingerprints, and rotate any key that was displayed or shared.
Background jobs may keep using API keys, consuming credits, reading trading/portfolio data, and sending alerts after setup.
The setup creates persistent scheduled jobs and ambient runtime behavior that continue outside the immediate user request.
- **6 scheduled jobs**: morning brief, evening brief, edge scan, social signal scan, drift monitor, arbitrage scan - **Heartbeat config**: 30-minute ambient awareness during waking hours
Before enabling, inspect the exact cron and heartbeat entries, confirm each schedule, and make sure there is a clear disable or uninstall procedure.
Misconfigured delivery targets or unsecured BlueBubbles setup could expose trading alerts or portfolio-related information to the wrong place.
The skill routes alert content through a messaging bridge. This is purpose-aligned, but the recipient and message contents matter.
- **iMessage delivery**: All alerts route to your phone via BlueBubbles
Verify the destination before enabling alerts, send a harmless test message first, and secure the BlueBubbles service.
Users have less provenance information to decide whether to trust the publisher and code.
The registry metadata does not provide a clear source or homepage for a skill that handles credentials and creates background jobs.
Source: unknown; Homepage: none
Install only if you trust the publisher, and review the included files and referenced stack repository before providing credentials.
Running the helper can create or read OpenClaw config files and make validation requests to configured providers.
The skill asks the user to run a local Python helper. This is expected for API validation, but it is still local code execution that reads config and contacts provider APIs.
Run the validation script: `python ~/skills/prediction-stack-setup/scripts/validate_setup.py`
Review the script and requirements before running it, and run it only from the installed skill directory you intended to use.