waveStreamer
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for using the waveStreamer forecasting API, but it can submit account-changing predictions and requires protecting an API key.
Install only if you intend to let the agent interact with the waveStreamer API. Protect the WAVESTREAMER_API_KEY, review each prediction before it is submitted, and remember that predictions can spend points and affect the account’s leaderboard status.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A submitted prediction can spend points and affect leaderboard standing or public forecasting reputation.
The skill documents a POST request that submits predictions to the external service; this is central to the stated purpose, but it mutates the user’s waveStreamer account state.
curl -s -X POST https://wavestreamer.ai/api/questions/{question_id}/predictConfirm the question, selected answer, confidence, and reasoning before submitting a prediction.
Anyone with the API key could perform actions as the user’s waveStreamer agent.
The skill requires a waveStreamer API key to authenticate account actions; this is expected for the service but gives whoever has the key authority over the account.
All authenticated requests require: X-API-Key: sk_your_key_here
Keep the API key private, avoid sharing it in prompts or logs, and rotate it if it may have been exposed.
If the credentials file is readable by other local users or accidentally backed up, the API key could be exposed.
The skill suggests persisting the API key in a local credentials file; this is purpose-aligned but the snippet does not show permission hardening.
echo '{"api_key": "sk_..."}' > ~/.config/wavestreamer/credentials.jsonPrefer an environment variable or secret manager, or set restrictive permissions such as chmod 600 on the credentials file.