Prediction Bridge Dev
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only search skill appears purpose-aligned, but it sends the user's query or X link to Prediction Bridge's backend using curl.
Before installing, be aware that searches are sent to Prediction Bridge's backend. Do not submit confidential text or private links, and make sure any configured PREDICTION_BRIDGE_API_URL points to a service you trust.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or adversarial query could break the request if the agent does not encode it correctly, though the intended action is only a search request.
The skill expects the agent to construct a curl request containing user-provided text or a URL. This is purpose-aligned, but user input should be safely JSON-escaped rather than naively inserted into a shell command.
Use `exec` with `curl` ... "text": "<USER_TEXT_OR_X_URL>"
Use safe JSON construction/escaping for the request body and keep the command limited to the documented POST request.
Search terms, pasted article URLs, or X links will be visible to the Prediction Bridge backend service.
The artifact clearly discloses that user-provided text or X links are sent to an external backend API for search and resolution.
Production: `https://prediction-bridge.onrender.com/api/v1` ... If the user provides an X status link, pass the URL as `text` unchanged.
Avoid using the skill with private, sensitive, or confidential text/URLs unless you are comfortable sharing them with the external service.