Prediction Stack Setup
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: prediction-stack-setup Version: 1.1.1 The Prediction Stack Setup bundle is a legitimate configuration utility designed to orchestrate a suite of prediction market trading skills. It includes a validation script (scripts/validate_setup.py) that tests API connectivity for services like Kalshi and Anthropic, and a comprehensive SKILL.md that guides the agent through setting up cron jobs and iMessage alerts. The code and instructions are transparent, follow the stated purpose of system automation, and do not exhibit signs of data exfiltration, unauthorized persistence, or malicious prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Secrets could appear in terminal scrollback, logs, screenshots, or copied diagnostics, which could enable account misuse or API charges if shared.
The troubleshooting steps encourage displaying private-key material and API keys in the terminal while the skill manages Kalshi and Anthropic credentials.
Verify: `cat ~/.openclaw/keys/kalshi-secret.pem | head -5` ... Verify: `echo $ANTHROPIC_API_KEY` (should show your key, not empty)
Do not print secrets. Verify files with existence/permission checks or masked fingerprints, and rotate any key that was displayed or shared.
Background jobs may keep using API keys, consuming credits, reading trading/portfolio data, and sending alerts after setup.
The setup creates persistent scheduled jobs and ambient runtime behavior that continue outside the immediate user request.
- **6 scheduled jobs**: morning brief, evening brief, edge scan, social signal scan, drift monitor, arbitrage scan - **Heartbeat config**: 30-minute ambient awareness during waking hours
Before enabling, inspect the exact cron and heartbeat entries, confirm each schedule, and make sure there is a clear disable or uninstall procedure.
Misconfigured delivery targets or unsecured BlueBubbles setup could expose trading alerts or portfolio-related information to the wrong place.
The skill routes alert content through a messaging bridge. This is purpose-aligned, but the recipient and message contents matter.
- **iMessage delivery**: All alerts route to your phone via BlueBubbles
Verify the destination before enabling alerts, send a harmless test message first, and secure the BlueBubbles service.
Users have less provenance information to decide whether to trust the publisher and code.
The registry metadata does not provide a clear source or homepage for a skill that handles credentials and creates background jobs.
Source: unknown; Homepage: none
Install only if you trust the publisher, and review the included files and referenced stack repository before providing credentials.
Running the helper can create or read OpenClaw config files and make validation requests to configured providers.
The skill asks the user to run a local Python helper. This is expected for API validation, but it is still local code execution that reads config and contacts provider APIs.
Run the validation script: `python ~/skills/prediction-stack-setup/scripts/validate_setup.py`
Review the script and requirements before running it, and run it only from the installed skill directory you intended to use.