Back to skill
Skillv0.0.2
ClawScan security
Prediction Bridge Dev · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 12, 2026, 10:50 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match its stated purpose (searching Prediction Bridge via the backend API); nothing requests unrelated credentials or installs, though it will send user-provided text to an external service.
- Guidance
- This skill appears to do what it says: it posts user-provided text or X (Twitter) links to Prediction Bridge's backend and returns parsed prediction-market matches. Before installing, consider: (1) queries (including any URLs or tweet text) are sent to the external Prediction Bridge server — avoid sending sensitive secrets or private data; (2) the SKILL.md documents an optional PREDICTION_BRIDGE_API_URL you can set to point to a different backend, but the registry metadata didn't list that env var (harmless but inconsistent); (3) verify you trust the Prediction Bridge service and its privacy policy if you'll be sending non-public information. Otherwise the skill is internally consistent and low-risk.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the SKILL.md instructs the agent to POST a search payload to Prediction Bridge's /search/unified endpoint and return parsed event results. Declared required binary (curl) is exactly what the instructions use.
- Instruction Scope
- noteInstructions are narrowly scoped to building a text (or X URL) query, calling the unified search API via curl, validating/parsing the JSON, and presenting summarized event snapshots. Important privacy note: any user text, URLs, or resolved tweet contents are transmitted to the external Prediction Bridge backend — this is expected for the skill but is a data-exfiltration surface the user should know about. Also, the SKILL.md references an optional env var (PREDICTION_BRIDGE_API_URL) that is not listed under 'required env vars' in the registry metadata (minor mismatch).
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This is low-risk from an install perspective (nothing is downloaded or written to disk).
- Credentials
- noteThe registry lists no required environment variables or credentials (appropriate). The SKILL.md documents an optional PREDICTION_BRIDGE_API_URL env var to override the API base — that's reasonable, but it's an env var referenced in runtime docs that wasn't declared in the metadata (minor inconsistency). The skill does not request keys/tokens or other unrelated secrets.
- Persistence & Privilege
- okalways:false and no install actions; the skill does not request permanent presence or elevated privileges and does not attempt to modify other skills or system config.