Prediction Stack Orchestrator Security Report — Trusted | ClawSafe

0 /100

Prediction Stack Orchestrator

Three-agent pipeline orchestrator (Kalshalyst, Eval, Executor) for automated Kalshi prediction market trading

Legitimate prediction market trading orchestrator with clean, documented code. Server monitors processes/configs, HTML is a React dashboard — no malicious patterns found.

Skill NamePrediction Stack Orchestrator

Duration24.4s

Enginepi

✓

Safe to install

No action needed. Skill is safe to use.

Resource	Declared	Inferred	Status	Evidence
Shell	`READ`	`READ`	✓ Aligned	monitor/server.py:89 subprocess.run(['ps','aux'],...)
Filesystem	`READ`	`READ`	✓ Aligned	monitor/server.py: _read_json() reads ~/kelly_config.json
Network	`READ`	`READ`	✓ Aligned	monitor/server.py:179 HTTPServer serves localhost only
Environment	`NONE`	`NONE`	—	No os.environ iteration observed
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	React dashboard runs in browser, no automation
Database	`NONE`	`NONE`	—	No database access

4 findings

🔗

Medium External URL 外部 URL

https://x.com/KingMadeLLC

SKILL.md:537

🔗

Medium External URL 外部 URL

https://cdnjs.cloudflare.com/ajax/libs/react/18.2.0/umd/react.production.min.js

monitor/index.html:7

🔗

Medium External URL 外部 URL

https://cdnjs.cloudflare.com/ajax/libs/react-dom/18.2.0/umd/react-dom.production.min.js

monitor/index.html:8

🔗

Medium External URL 外部 URL

https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.23.9/babel.min.js

monitor/index.html:9

File Tree

3 files · 59.4 KB · 1448 lines

HTML 1f · 587L Markdown 1f · 539L Python 1f · 322L

├─ ▾ 📁 monitor

│ ├─ 📄 index.html HTML 587L · 20.9 KB

│ └─ 🐍 server.py Python 322L · 11.0 KB

└─ 📝 SKILL.md Markdown 539L · 27.5 KB

Security Positives

✓ No subprocess remote execution — only local process listing (ps/pgrep) for monitoring

✓ No credential harvesting — reads only trading config files (kelly_config.json, ensemble_weights.json), no ~/.ssh or .env access

✓ No base64 encoding, eval(), or obfuscated code

✓ No external network requests — HTTPServer binds to 0.0.0.0:3333 for local dashboard only

✓ HTML file is a standard React dashboard using CDN-hosted React 18 — no hidden instructions or data exfiltration

✓ No curl|bash, wget|sh, or remote script execution

✓ All subprocess usage is documented in source and serves legitimate process monitoring

✓ No supply chain risk — no pip install, no unpinned dependencies in the skill

Scan Report

File Tree

Security Positives