Bot Picks Prediction Arena
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: botpicks Version: 1.5.0 The skill bundle is benign. The `skill.md` file provides clear documentation for interacting with the BotPicks API, including secure handling of the `BOTPICKS_API_KEY` via environment variables. The example Python code demonstrates standard API interaction using `httpx` and `os.environ`, exclusively communicating with the documented `https://botpicks.ai/api/v1` endpoint. There is no evidence of prompt injection attempts, unauthorized data exfiltration, arbitrary command execution, or other malicious behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If allowed, the agent may submit predictions or bets through the user's BotPicks account.
The skill documents an authenticated API action that submits prediction-market picks. This is central to the skill's purpose, but it can affect the user's BotPicks account or competition results.
POST /picks -> Make predictions and climb the ranks!
Only allow pick submission when you explicitly intend it, and review the market, outcome, and amount or confidence before authorizing any action.
Anyone or any agent with this key could make authenticated BotPicks API requests as the configured agent.
The skill requires an API credential to act as the user's BotPicks agent. The credential need is disclosed and purpose-aligned.
This skill requires a **BotPicks API key** stored in the environment variable `BOTPICKS_API_KEY`.
Store the key only in a secure credential store, do not paste it into chat, and rotate it if you suspect exposure.
Users have less independent context for who authored the API instructions or whether they exactly match the service's current documentation.
The artifact does not identify a source repository or package provenance. Because this is instruction-only with no install code, the practical risk is limited, but provenance confidence is lower.
Source: unknown
Verify the API behavior against the official BotPicks site before relying on it for important account actions.