Clawstin Morning Paper

Track	Today	Total P&L	Notes
📈 Agent Trader	$+0.00	$+0.00	Swing, public.com
🎲 Polymarket	—	$+0.00	Structural arb, slow
Net (after tax + costs)	$-0.10		vs $10 target: $-10.10

Researcher Report — 2026-03-18

Run time: 2026-03-18 01:05 ET Agent: Researcher (Haiku scan / Sonnet eval) Budget: Budget: $0.0278 / $5.00 used (50 calls, 18757in + 3206out tokens) | $4.9722 remaining

Phase 1: Tech Research

Sources scanned: 776 items across HN + RSS feeds Candidates after scoring: 15 CBL evaluated: 15

EAT (queued to fridge)

- [EAT] Adaptive Theory of Mind for LLM-based Multi-Agent Coordination — _✅ queued_

HOLD (notable but not fridged)

- [HOLD] Anticipatory Planning for Multimodal AI Agents — - [HOLD] Surg$\Sigma$: A Spectrum of Large-Scale Multimodal Data and Foundation Models for Surgical Intelligence — - [HOLD] Data-Local Autonomous LLM-Guided Neural Architecture Search for Multiclass Multimodal Time-Series Classification — - [HOLD] Structure-Aware Multimodal LLM Framework for Trustworthy Near-Field Beam Prediction — - [HOLD] Alignment-Aware Quantization for LLM Safety — - _(and 9 more HOLD items)_

Phase 2: PaperTrader Experiments

_No snapshot data available for today._

Phase 2 Errors

- ⚠️ No snapshot for today — cannot analyze performance

Phase 3: Optimization Analysis

> _Stale files and cron health are auditor territory (autoaudit). This phase covers cost and model routing only._

Session Model Usage (23 sessions, last 7d)

| Model | Mentions | Share | |-------|----------|-------| | Opus | 38 | 51% | | Sonnet | 13 | 17% | | Haiku | 24 | 32% |
Opus-heavy sessions: - `2026-03-14-session-02.md` (3x Opus) — Session 02 — 2026-03-14 (20:43-23:13 EDT, Opus) - `2026-03-14-session-01.md` (3x Opus) — Session 01 — 2026-03-14 (08:12-20:43 EDT, Sonnet→Opus) - `2026-03-12-session-26.md` (4x Opus) — Session 26 — 2026-03-12 (00:00–01:46 EDT, Opus) - `2026-03-11-session-25.md` (3x Opus) — Session 25 — 2026-03-11 (22:03–23:57 EDT, Opus) - `2026-03-11-session-20.md` (4x Opus) — Session 20 — 2026-03-11 (11:17–13:27 EDT, Opus)

Researcher Budget History

- last run: $0.0000 / $5.00 (0% utilized, 0 API calls)

Cron Model Routing Suggestions

- bizbot (currently Opus): Evaluate if Sonnet or Haiku could handle this task — ~10-50x cost reduction per run - agent-trader-premarket (currently Opus): Evaluate if Sonnet or Haiku could handle this task — ~10-50x cost reduction per run

Cost Optimization Opportunities

- Opus referenced in 38 mentions across 23 sessions (51% of model refs) → Review Opus-heavy sessions — most tasks could run on Sonnet at ~10x lower cost _Up to ~10x on affected calls_ - Researcher used only $0.0000 of $5.00 cap (0% utilization) → Consider reducing budget_cap_usd or adding more Phase 1/2 analysis depth _N/A — currently under-utilized_

Phase 4: ClawHub Skill Scan

35 suspicious skill(s): - [SUSPICIOUS] mcp-skill — [SUSPICIOUS]
Red flags present: (1) Zero downloads + newly published by low-reputation author, (2) Vague description listing generic capabilities without specifics on implementation or safety boundaries, (3) Requests broad network access (web search, crawling, LinkedIn) and process spawning potential, (4) No visible source code repository linked, (5) Description reads as capability listing directed at AI agents rather than human operators. - [SUSPICIOUS] mcp-hass — [SUSPICIOUS]
Red flags present: (1) Zero downloads + very recent publication (2026-02-10), (2) No visible source code repository linked, (3) Requests network access to Home Assistant instances (external service communication), (4) MCP protocol implementation from unverified author requires careful code review for security implications.
If relevant: Would support homelab/automation projects, but requires source code audit before use. - [SUSPICIOUS] openclaw-mcp-plugin — [SUSPICIOUS]
Multiple red flags present: zero downloads with new publication date (2026-02-02), no visible source code, requests network access and process spawning capabilities, vague description that could enable arbitrary tool execution, and the skill description reads as instructions to an AI agent ("Enable AI agents to discover and execute tools"). - [SUSPICIOUS] atlassian-mcp — [SUSPICIOUS]
This skill exhibits multiple red flags: zero downloads from a new account (2026-01-25), requests Docker process spawning and filesystem access outside workspace, requires external API credentials, lacks visible source code for security audit, and the description reads as task-oriented instructions ("Use when you need to query...") rather than neutral documentation. - [SUSPICIOUS] clickup-mcp — [SUSPICIOUS]
Red flags: No visible source code, zero downloads with new account (published 2026-01-06), requests network access and OAuth authentication to external service, and vague operational scope ("manage tasks, docs, time tracking, comments, chat, search") without transparent implementation details. - [SUSPICIOUS] glin-profanity-mcp — [SUSPICIOUS]
Red flags present: (1) Zero downloads + new account (published 2026-02-01, author "thegdsks" with no history), (2) No visible source code link provided, (3) Description contains directives framed as use cases ("Use when reviewing batches," "when AI needs") that read as instructions to an AI agent rather than neutral documentation, (4) Vague about actual implementation—claims to provide "profanity detection tools" but doesn't specify what language, model, or API it uses. - [SUSPICIOUS] xiaohongshu-mcp-skill — [SUSPICIOUS]
Multiple red flags present: zero downloads with very recent publish date (2026-02-28), no visible source code repository linked, vague description with truncation ("like/comment/fa..."), requests network access to external Xiaohongshu service, and the description phrasing ("Use when user wants to...") reads as agent-directed instructions rather than technical documentation. - [SUSPICIOUS] wordpress-mcp — [SUSPICIOUS]
Red flags: Zero downloads + very new publication (2026-02-10), no visible source code repository linked, vague technical requirements ("Requires AI Engine plugin"), and the description is heavily agent-directive focused ("Use for creating/editing posts... when asked about WordPress site management") rather than technical documentation. - [SUSPICIOUS] microsoft-ads-mcp — [SUSPICIOUS]
Red flags present: (1) Zero downloads + newly published account (2026-01-26), (2) No visible source code repository linked, (3) Requests network access to external Microsoft Advertising APIs and likely filesystem access for credentials/config, (4) MCP server skills require process spawning which expands attack surface, (5) Vague on implementation details and security model for handling advertising credentials.
Not relevant to active projects (mcp is in keywords but this is advertising-specific, not infrastructure/automation/monitoring focused). - [SUSPICIOUS] mcp-client — [SUSPICIOUS]
Red flags: Zero downloads + new account (published 2026-02-22), no visible source code mentioned, description is vague about what "tools, data sources and services" it actually connects to, and MCP client skills typically require elevated permissions (network access, process spawning) that warrant explicit disclosure. - [SUSPICIOUS] automation-workflows — [SUSPICIOUS]
Red flags: Zero downloads + brand new account (published 2026-02-06), no visible source code repository linked, vague implementation details for a complex tool integration skill, and description reads as general marketing copy rather than technical documentation.
This skill does match the "automation" keyword but insufficient vetting information and new-account status warrant caution before integration. - [SUSPICIOUS] ai-web-automation — [SUSPICIOUS]
Multiple critical red flags: zero downloads with new account (2026-02-20 publish date), no visible source code accessible, vague description that could mask malicious behavior, and the skill requests broad capabilities (web automation, form filling, data scraping, process spawning) that inherently require dangerous permissions (network access, filesystem, process execution) without transparent scope documentation. - [SUSPICIOUS] automation-workflows-0-1-0 — [SUSPICIOUS]
Red flags: Zero downloads + newly published (2026-02-07) + vague description without visible source code or implementation details + no concrete examples of tool integrations or workflow templates provided. - [SUSPICIOUS] agentic-workflow-automation — [SUSPICIOUS]
Red flags present: (1) Zero downloads + newly published account (2026-02-26), (2) Vague description with truncation ("automation handoff arti..."), (3) No visible source code accessible, (4) Description reads as general AI agent instruction rather than concrete tool documentation, (5) Author handle "0x-Professor" suggests potential obfuscation.
If relevant: Could apply to agent and automation keywords, but insufficient information to validate legitimacy before Ghost review. - [SUSPICIOUS] afrexai-business-automation — [SUSPICIOUS]
Red flags present: (1) Zero downloads + newly published account, (2) No visible source code provided, (3) Description is directed at an AI agent ("Turn your AI agent into...") rather than describing what the skill does, (4) Vague claims about implementing automation "no n8n or Zapier required" without technical specifics, and (5) Broad scope across multiple business domains suggests potential for scope creep or hidden functionality. - [SUSPICIOUS] data-automation-service — [SUSPICIOUS]
Multiple red flags: zero downloads with very recent publication date (2026-02-19), vague description lacking technical specifics about API integration methods or data source types, no visible source code repository link, and the generic nature suggests potential for requesting excessive permissions once installed. - [SUSPICIOUS] ai-automation-workflow — [SUSPICIOUS]
Multiple red flags: zero downloads + brand new account (published 2026-03-06), no visible source code repository linked, vague implementation details for n8n/Zapier workflow claims, and the description reads partially as directive text ("幫中小企業設計" = "help SMEs design") rather than neutral skill documentation. - [SUSPICIOUS] afrexai-automation-strategy — [SUSPICIOUS]
Red flags: Zero downloads + new account (published 2026-02-19, author "1kalin" appears to be fresh), vague description (truncated mid-sentence with "across any..."), no visible source code, and the description reads as generic marketing copy rather than concrete functionality documentation—typical markers of low-quality or potentially malicious skill packages. - [SUSPICIOUS] automation-tool — [SUSPICIOUS]
Red flags: Zero downloads + brand new account (published 2026-03-08), vague description in Chinese offering "batch generation" with no visible source code or technical details, and the generic nature suggests potential for misuse in automated content spam or manipulation. - [SUSPICIOUS] ai-automation-consulting — [SUSPICIOUS]
Multiple red flags: zero downloads with very recent publish date (2026-03-14), new/unverified author account (yang1002378395-cmyk), vague description offering generic "AI automation consulting" with no visible source code or technical implementation details, and the skill appears to be a service offering rather than a functional tool/integration. - [SUSPICIOUS] homelab-cluster — [SUSPICIOUS]
Red flags: Zero downloads + newly published (2026-02-12) + vague description lacking implementation details + requests management of "multi-tier AI inference clusters" (likely requires elevated system/network permissions) + no visible source code repository linked. - [SUSPICIOUS] homeserver — [SUSPICIOUS]
Red flags present: (1) Zero downloads + newly published account, (2) Requests significant system access (Docker, SSH, port scanning, filesystem operations, process spawning), (3) No visible source code repository linked, (4) Vague implementation details on how "homebutler CLI" integrates with OpenClaw, (5) Matches keywords but lacks transparency on permission scope and security model.
If investigated: Could support homelab/automation projects, but requires source code review and permission auditing before consideration. - [SUSPICIOUS] raspberry-pi-manager — [SUSPICIOUS]
Multiple red flags: zero downloads + newly published account (2026-03-11), no visible source code mentioned, skill requests low-level system access (GPIO control, process spawning for service management) which could enable filesystem/process escape, and the broad "manage devices" description lacks specificity on permission boundaries. - [SUSPICIOUS] pi-admin — [SUSPICIOUS]
Red flags: Zero downloads + newly published (2026-01-14), no visible source code mentioned, requests filesystem access and process spawning capabilities (inherent to Pi system administration skills), and vague description lacking implementation details or safety boundaries. - [SUSPICIOUS] pi-health — [SUSPICIOUS]
Red flags: Zero downloads + new account (published 2026-02-09), no visible source code link provided, skill requires filesystem access and process spawning (CPU temp, throttling, fan RPM detection), and the description reads as instructions to an AI agent ("Use when monitoring Pi health, diagnosing..."). - [SUSPICIOUS] trading — [SUSPICIOUS]
Red flags present: Zero downloads + newly published (2026-02-12) + vague description lacking technical implementation details + no visible source code repository linked + "trading" keyword match creates relevance bias but skill provides no specifics on how it integrates with OpenClaw architecture. - [SUSPICIOUS] trading-devbox — [SUSPICIOUS]
Red flags: Zero downloads + newly published account (2026-02-25), no visible source code mentioned, description implies arbitrary code execution ("agent writes a Python backtest strategy"), and the skill involves executing user-supplied trading logic which presents code injection and financial loss risks. - [SUSPICIOUS] trading-brain — [SUSPICIOUS]
This skill exhibits multiple critical red flags: zero downloads combined with a very recent publish date from a new account (classic untrusted pattern), vague description lacking technical specifics about implementation, and the description itself reads as a directive to an AI agent ("Load Travis's personal trading strategy...to guide aggressive trades") rather than objective documentation of what the skill does. - [SUSPICIOUS] openmm-grid-trading — [SUSPICIOUS]
Red flags: Zero downloads + newly published (2026-02-25) + unknown author + vague description lacking technical specifics + no visible source code + requests access to trading systems (inherent financial risk) + description reads like a feature pitch rather than implementation detail.
Not recommended for integration without source code audit and author verification. - [SUSPICIOUS] quant-trading-system — [SUSPICIOUS]
Red flags detected: Zero downloads + brand new account (published 2026-03-08), no visible source code repository link provided, vague description lacking technical implementation details, and "trading system" implies network requests and external process spawning (high-risk permissions for untrusted code).
Not recommended for review without source code audit and author verification. - [SUSPICIOUS] kalshi-cli-trading — [SUSPICIOUS]
This skill exhibits multiple red flags: zero downloads with a very recent publish date (2026-03-04), no visible source code repository, vague truncated description, requests network access to external trading platform, and the author "lacymorrow" has no established reputation on the platform. - [SUSPICIOUS] auto-trading-strategy — [SUSPICIOUS]
Red flags present: Zero downloads + new account (published 2026-03-13, author "863king"), vague description lacking technical specifics about implementation, no visible source code repository linked, and the skill name/description suggests financial advisory content which requires higher scrutiny for potential harm or misuse. - [SUSPICIOUS] looloo-trading — [SUSPICIOUS]
Multiple red flags: zero downloads with very recent publication date (2026-03-13), vague description that doesn't specify what "LooLoo" is or technical implementation details, no visible source code repository linked, and the skill requests unspecified network access to generate "trade quotes" and "confirmation links" — a financial transaction context that demands higher scrutiny for potential credential harvesting or fraud. - [SUSPICIOUS] gate-exchange-trading-copilot — [SUSPICIOUS]
Red flags: Zero downloads + newly published account (2026-03-14), vague truncated description ("Use this skill whenever the user wants one skill to complete market judgment, risk control, and..." — incomplete sentence), no visible source code, and requests network access to external exchange API with financial transaction capabilities.
Not aligned with active projects (mcp, automation, homelab, raspberry pi, react native, ios, signal, openclaw, cli, monitoring). - [SUSPICIOUS] trading-software-efficiency — [SUSPICIOUS]
Red flags present: (1) Zero downloads + newly published account (2026-03-16), (2) No visible source code accessible via metadata, (3) Vague description lacking technical specifics about implementation, (4) Request pattern matches trading/financial automation which typically requires sensitive permissions and data access.

Budget Summary

Total spent: $0.0278 / $5.00 cap API calls: 50 Tokens: 18757 input + 3206 output
| Model | Input | Output | Cost | Note | |-------|-------|--------|------|------| | claude-haiku-4-5 | 232 | 23 | $0.000278 | CBL:Anticipatory Planning for Multimodal | | claude-haiku-4-5 | 248 | 26 | $0.000302 | CBL:Surg$\Sigma$: A Spectrum of Large-Sc | | claude-haiku-4-5 | 246 | 22 | $0.000285 | CBL:Data-Local Autonomous LLM-Guided Neu | | claude-haiku-4-5 | 244 | 26 | $0.000299 | CBL:Structure-Aware Multimodal LLM Frame | | claude-haiku-4-5 | 233 | 21 | $0.000270 | CBL:Alignment-Aware Quantization for LLM | | claude-haiku-4-5 | 238 | 23 | $0.000282 | CBL:Relationship-Aware Safety Unlearning | | claude-haiku-4-5 | 250 | 26 | $0.000304 | CBL:Can Multimodal LLMs See Science Inst | | claude-haiku-4-5 | 251 | 26 | $0.000305 | CBL:Understanding Quantization of Optimi | | claude-haiku-4-5 | 242 | 26 | $0.000298 | CBL:Towards Robust Multimodal Physiologi | | claude-haiku-4-5 | 234 | 22 | $0.000275 | CBL:Show HN: March Madness Bracket Chall | | claude-haiku-4-5 | 241 | 23 | $0.000285 | CBL:NextMem: Towards Latent Factual Memo | | claude-haiku-4-5 | 250 | 22 | $0.000288 | CBL:Quantum-Secure-By-Construction (QSC) | | claude-haiku-4-5 | 230 | 25 | $0.000284 | CBL:Algorithmic Trading Strategy Develop | | claude-haiku-4-5 | 244 | 23 | $0.000287 | CBL:Argumentative Human-AI Decision-Maki | | claude-haiku-4-5 | 236 | 24 | $0.000285 | CBL:Adaptive Theory of Mind for LLM-base | | claude-haiku-4-5 | 418 | 95 | $0.000714 | ClawHub:mcp-skill | | claude-haiku-4-5 | 407 | 95 | $0.000706 | ClawHub:mcp-hass | | claude-haiku-4-5 | 436 | 72 | $0.000637 | ClawHub:openclaw-mcp-plugin | | claude-haiku-4-5 | 468 | 76 | $0.000678 | ClawHub:atlassian-mcp | | claude-haiku-4-5 | 416 | 66 | $0.000597 | ClawHub:clickup-mcp | | claude-haiku-4-5 | 450 | 120 | $0.000840 | ClawHub:glin-profanity-mcp | | claude-haiku-4-5 | 449 | 87 | $0.000707 | ClawHub:xiaohongshu-mcp-skill | | claude-haiku-4-5 | 476 | 72 | $0.000669 | ClawHub:wordpress-mcp | | claude-haiku-4-5 | 434 | 120 | $0.000827 | ClawHub:microsoft-ads-mcp | | claude-haiku-4-5 | 404 | 73 | $0.000615 | ClawHub:mcp-client | | claude-haiku-4-5 | 495 | 83 | $0.000728 | ClawHub:automation-workflows | | claude-haiku-4-5 | 420 | 86 | $0.000680 | ClawHub:ai-web-automation | | claude-haiku-4-5 | 506 | 48 | $0.000597 | ClawHub:automation-workflows-0-1-0 | | claude-haiku-4-5 | 429 | 117 | $0.000811 | ClawHub:agentic-workflow-automation | | claude-haiku-4-5 | 439 | 104 | $0.000767 | ClawHub:afrexai-business-automation | | claude-haiku-4-5 | 431 | 63 | $0.000597 | ClawHub:data-automation-service | | claude-haiku-4-5 | 492 | 81 | $0.000718 | ClawHub:ai-automation-workflow | | claude-haiku-4-5 | 427 | 84 | $0.000678 | ClawHub:afrexai-automation-strategy | | claude-haiku-4-5 | 414 | 62 | $0.000579 | ClawHub:automation-tool | | claude-haiku-4-5 | 441 | 81 | $0.000677 | ClawHub:ai-automation-consulting | | claude-haiku-4-5 | 410 | 60 | $0.000568 | ClawHub:homelab-cluster | | claude-haiku-4-5 | 424 | 118 | $0.000811 | ClawHub:homeserver | | claude-haiku-4-5 | 418 | 73 | $0.000626 | ClawHub:raspberry-pi-manager | | claude-haiku-4-5 | 405 | 58 | $0.000556 | ClawHub:pi-admin | | claude-haiku-4-5 | 466 | 75 | $0.000673 | ClawHub:pi-health | | claude-haiku-4-5 | 409 | 67 | $0.000595 | ClawHub:trading | | claude-haiku-4-5 | 413 | 64 | $0.000586 | ClawHub:trading-devbox | | claude-haiku-4-5 | 414 | 81 | $0.000655 | ClawHub:trading-brain | | claude-haiku-4-5 | 416 | 77 | $0.000641 | ClawHub:openmm-grid-trading | | claude-haiku-4-5 | 404 | 83 | $0.000655 | ClawHub:quant-trading-system | | claude-haiku-4-5 | 426 | 67 | $0.000609 | ClawHub:kalshi-cli-trading | | claude-haiku-4-5 | 410 | 71 | $0.000612 | ClawHub:auto-trading-strategy | | claude-haiku-4-5 | 414 | 92 | $0.000699 | ClawHub:looloo-trading | | claude-haiku-4-5 | 431 | 104 | $0.000761 | ClawHub:gate-exchange-trading-copilot | | claude-haiku-4-5 | 426 | 73 | $0.000633 | ClawHub:trading-software-efficiency |

Model	Portfolio Value	P/L	Cash	Holdings
MACD+RSI	$972.22	$-27.78 (-2.8%)	$374.72	MSTR 1.1148sh @$134.55, QQQ 0.2491sh @$610.64, CRM 0.7494sh @$196.89, GOOGL 0.4798sh @$308.14
Momentum EMA	$1000.01	+$0.01 (+0.0%)	$850.00	NVDA 0.8109sh @$184.99
Rocket Rider	$1159.43	+$159.43 (+15.9%)	$1159.43	Cash only
News Sentiment	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Sector Surfer	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Earnings Stalker	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Fear Eater	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Unusual Volume	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Gap Trader	$999.99	$-0.01 (-0.0%)	$850.00	ADBE 0.6013sh @$249.44
Consolidation Bomber	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Trump Whisperer	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Capitol Copycat	$1007.43	+$7.43 (+0.7%)	$807.43	VST 0.6314sh @$158.38, TEM 1.9790sh @$50.53
Dual Momentum	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Squeeze Breakout	N/A	N/A	N/A	—
52wk High	N/A	N/A	N/A	—
Donchian Turtle	$1000.00	$-0.00 (-0.0%)	$850.00	MSTR 1.0204sh @$147.00
Williams %R	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
KAMA Adaptive	$981.70	$-18.30 (-1.8%)	$382.88	MSTR 1.0796sh @$138.94, GOOGL 0.4886sh @$307.35, NVDA 0.8130sh @$184.99, CRM 0.7530sh @$196.89
Triple MA	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Insider Buyer	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Index Rider	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
FDA Catalyst	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Sprint Rider	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Trend Reversion	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Sector Rotator	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Volume Breakout	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Dual Timeframe	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only

Market	Side	Entry	Bet	Ends
Will Trump visit China by April 30?	YES	0.460	$66.67	2026-04-30
Weed rescheduled by March 31?	YES	0.014	$66.67	2026-03-31
Weed rescheduled by June 30?	YES	0.170	$66.66	2026-03-31

Security Guard Report - 2026-03-18

Patrol time: 03:30 AM (America/New_York) Agent: Security Guard (Claude) AutoAudit verified: Yes (2026-03-18) Previous report: 2026-03-17

Executive Summary

Overall threat level: MEDIUM (de-escalated from MEDIUM-HIGH on 2026-03-17)
De-escalation driven by verification that all previously flagged plaintext credentials have been properly redacted. The SG-2026-03-17 findings (Fernet key, DO password, Gmail password, Hetzner/VNC passwords) were either already redacted when I checked, or reflected a pre-remediation state that has since been fixed. Every credential reference now shows `[REDACTED — see Den: key_name]` pattern.
Signal alert required: NO (no finding reaches 9-10)
Changes since last patrol (2026-03-17): - ✅ RESOLVED: SG-2026-03-17-001 (Fernet key in strengthen-medic.md) — file shows `[REDACTED — see Den: accounts_key]` at line 28. - ✅ RESOLVED: SG-2026-03-17-002 (DO password in 3 files) — all 3 files now show `[REDACTED — see Den: do_password]`. - ✅ RESOLVED: SG-2026-03-17-003 (Gmail password in 2026-03-07.md) — now shows `[REDACTED — see Den: gmail_password]`. - ✅ RESOLVED: SG-2026-03-17-004 (Hetzner password in session log) — now shows `[REDACTED — see Den: hetzner_password]`. - ✅ RESOLVED (previously): Lifeboat-system directory permissions — all dirs 700, all files 600. - ⚠️ PERSISTS: World-readable session logs from early March (7 files at 644). - ⚠️ PERSISTS: World-readable memory files from pre-March-5 (12 files at 644). - ⚠️ PERSISTS: Stale FER monitor plist in lifeboat and active LaunchAgent (exit 2) — 11th consecutive. - ⚠️ PERSISTS: OpenClaw security advisory (prompt injection/exfil) — 3rd consecutive, no CVE assigned. - 🔴 NEW: SG-2026-03-18-001: API keys (ElevenLabs + OpenRouter) in plaintext in lifeboat openclaw.json backup. - 🔴 NEW: SG-2026-03-18-002: Google OAuth tokens (access + refresh) for 3 Gmail accounts + 2 Google Drive accounts in plaintext in lifeboat. - 🔴 NEW: SG-2026-03-18-003: Cloudflare tunnel secret in plaintext in lifeboat backup. - 🔴 NEW: SG-2026-03-18-004: Security Guard agent timing out on 7 of last 8 nightly runs. - ⚠️ PERSISTS: No git remote configured — local-only repo, no off-site code backup via git.
This patrol identified 9 findings: 0 severity 9-10, 0 severity 8, 4 severity 7, 2 severity 5, 3 severity 3 or below.

Detailed Findings

SG-2026-03-18-001: API Keys in Plaintext in Lifeboat openclaw.json (NEW)

Severity: 7 (MEDIUM) Category: Credential Exposure Rubric: "Minor permission misconfigurations" / credential access at rest
Evidence: - File: `lifeboat-system/openclaw-config/openclaw.json` - Contains: `ELEVENLABS_API_KEY`: `sk_[REDACTED]` (ElevenLabs text-to-speech) - Contains: `OPENROUTER_API_KEY`: `sk-or-v1-[REDACTED]` (OpenRouter LLM routing) - File permissions: `-rw-------` (600, owner-only) ✓ - Directory permissions: `drwx------` (700, owner-only) ✓ - In `.gitignore` via `lifeboat-system/` exclusion ✓
Impact: If the lifeboat directory were exposed (disk theft, backup leak, path traversal), these API keys grant access to ElevenLabs voice synthesis and OpenRouter LLM API. Financial exposure limited to account balances on those services.
Rationale for rating 7 (not higher): Keys are owner-only, gitignored, and represent service API keys with limited blast radius (voice synthesis and LLM routing — no financial instruments, no email access). This is an inherent architectural trade-off: lifeboat MUST contain credentials for disaster recovery. Rated 7 because the keys are stored adjacent to the Fernet encryption key — a single directory compromise exposes all.
Action: Consider encrypting `openclaw.json` in the lifeboat or storing these keys in the encrypted Den instead. No immediate rotation needed unless lifeboat has been exposed.

SG-2026-03-18-002: Google OAuth Tokens in Plaintext in Lifeboat (NEW)

Severity: 7 (MEDIUM) Category: Credential Exposure
Evidence: - Files: `lifeboat-system/gmail-tokens/token-adalsey.json`, `token-krspamgang.json`, `token-clawstinai.json` - Each contains full `access_token` (ya29.[REDACTED]) and `refresh_token` (1//[REDACTED]) - Also contains `client_secret` (GOCSPX-[REDACTED]) — note: Google considers installed app client secrets non-confidential - File: `lifeboat-system/rclone/rclone.conf` - Contains Google Drive OAuth tokens for `clawstindrive` and `adalseydrive` accounts - Full `access_token` and `refresh_token` values for both
All files are `-rw-------` (600) in `drwx------` (700) directories.
Impact: These tokens provide full Gmail modify + labels access (3 accounts) and Google Drive access (2 accounts). The Gmail tokens for adalsey and krspamgang are currently expired (per autoaudit), but refresh tokens may still be valid for token rotation. Google Drive tokens were valid as of 2026-03-18 00:43.
Rationale for rating 7: Same architectural trade-off as SG-2026-03-18-001 — lifeboat needs these for recovery. Owner-only permissions. Not externally exposed. Access tokens expire in ~1 hour; refresh tokens are the real concern. Rated 7 due to the breadth of access (5 Google accounts) if compromised.
Action: No immediate rotation needed. Consider encrypting the lifeboat token files or consolidating into the encrypted Den.

SG-2026-03-18-003: Cloudflare Tunnel Secret in Plaintext in Lifeboat (NEW)

Severity: 7 (MEDIUM) Category: Credential Exposure
Evidence: - File: `lifeboat-system/cloudflared/2c29ad40-1e56-477b-8c03-6dbd559f782b.json` - Contains: `TunnelSecret`: `[REDACTED]` (base64-encoded tunnel authentication secret) - Also contains: `AccountTag` and `TunnelID` (non-secret identifiers) - File permissions: `-rw-------` (600) ✓
Impact: The TunnelSecret authenticates the cloudflared daemon to Cloudflare. If stolen, an attacker could impersonate the tunnel endpoint and intercept/serve traffic for clawstin.org, voice.clawstin.org, webhook.clawstin.org, and api.clawstin.org.
Rationale for rating 7: Owner-only file, gitignored. Requires local file access to exploit. Tunnel impersonation is high-impact but requires the attacker to also prevent the legitimate tunnel from running (which would be detected). No evidence of external exposure.
Action: No immediate action. If lifeboat is ever suspected compromised, rotate the tunnel secret via Cloudflare dashboard immediately.

SG-2026-03-18-004: Security Guard Agent Systemic Timeout (NEW)

Severity: 7 (MEDIUM) Category: Workflow Disruption / Monitoring Gap Rubric: "Internal process failure — monitoring system itself failing"
Evidence: - Security Guard log (`scripts/security-guard.log`) shows: - 2026-03-10: Lock removed after ~2m (timeout/failure) - 2026-03-11: SUCCESS (408s, exit 0) - 2026-03-12: Lock removed after ~2m (timeout/failure) - 2026-03-13: SUCCESS (430s, exit 0) - 2026-03-14 through 2026-03-18: ALL failed (lock removed after ~2m each) - 7 of last 8 runs failed; 5 consecutive failures (03-14 through 03-18)
Impact: Security Guard is the nightly security sweep. When it fails, no automated security monitoring occurs. The last successful patrol was 2026-03-13 — 5 days ago. Combined with the autoaudit model mismatch (Sonnet running instead of Opus), this suggests gateway-level issues with agent spawning.
Rationale for rating 7: No external threat component, but this IS the monitoring system. A blind spot in security monitoring for 5 consecutive days degrades the entire security posture. Elevated from base-5 because the pattern is worsening, not improving.
Action required: Ghost must investigate the Security Guard spawning mechanism. Check if the 2-minute timeout is too short, or if the API/gateway is rejecting the Opus model request (similar to autoaudit's Sonnet-instead-of-Opus issue from 4th consecutive autoaudit finding).

SG-2026-03-18-005: World-Readable Session Logs and Memory Files (PERSISTS — 3rd consecutive)

Severity: 5 (LOW-MEDIUM) Category: File Permissions
Evidence: 7 session log files from early March remain at 644 (world-readable): - `memory/session-log-2026-03-02-141013.txt` (0 bytes) - `memory/session-log-2026-03-02-141041.txt` (61KB) - `memory/session-log-2026-03-02-175747.txt` (29KB) - `memory/session-log-2026-03-02-184139.txt` (14KB) - `memory/session-log-2026-03-02-204632.txt` (53KB) - `memory/session-log-2026-03-03-021255.txt` (80KB) - `memory/session-log-2026-03-03-021509.txt` (225 bytes)
Additionally, 12 memory markdown files from pre-March-5 are world-readable (644): - All `memory/2026-02-*.md` files (8 files) - `memory/2026-03-01.md`, `memory/2026-03-02.md`, `memory/2026-03-03.md`, `memory/2026-03-03-morning.md`
Mitigating factors: All credential values in these files have been properly redacted. No actual passwords, API keys, or tokens are exposed. Only operational context (service names, Den key references, architectural decisions) remains.
Rationale for rating 5 (down from 7 on previous patrol): Credentials have been fully redacted since last check. Remaining content is operational detail that's sensitive but not directly exploitable. Single-user system reduces likelihood of local unauthorized access. Persisting 3rd consecutive patrol.
Action: `chmod 600 memory/session-log-.txt memory/2026-02-.md memory/2026-03-0[1-3]*.md`

SG-2026-03-18-006: Stale FER Monitor LaunchAgent + Lifeboat Copy (PERSISTS — 11th consecutive)

Severity: 5 (LOW-MEDIUM) Category: Configuration / Attack Surface
Evidence: - `lifeboat-system/launch-agents/clawstin.fer-monitor.plist` exists and is backed up nightly - Plist references `scripts/fer-monitor.py` which does not exist (deleted) - LaunchAgent still loaded in launchd (exit 2) per autoaudit - Ghost approved purge on 2026-03-16 but cleanup incomplete
Rationale for rating 5: No security exploit — the script doesn't exist so the agent just fails. But a stale plist that runs every 300 seconds and fails adds noise to logs and is poor hygiene. 11th consecutive patrol.
Action: `launchctl unload ~/Library/LaunchAgents/clawstin.fer-monitor.plist && rm ~/Library/LaunchAgents/clawstin.fer-monitor.plist lifeboat-system/launch-agents/clawstin.fer-monitor.plist`

SG-2026-03-18-007: Cloudflare Tunnel — 4 Services Exposed (ACCEPTED RISK)

Severity: 3 (LOW — accepted risk) Category: Network Exposure Accepted Risk: SG-2026-03-10-002
Evidence: Cloudflare tunnel serves 4 hostnames: - `clawstin.org` → localhost:8877 (static site, python http.server) — ACCEPTED - `voice.clawstin.org` → localhost:3334 (no backend per prior notes) - `webhook.clawstin.org` → localhost:18789 - `api.clawstin.org` → localhost:8765 (vitals-api)
Status: Accepted risk for clawstin.org static site. Other endpoints noted for awareness.

SG-2026-03-18-008: OpenClaw Security Advisory — Prompt Injection/Exfiltration (PERSISTS — 3rd consecutive)

Severity: 5 (LOW-MEDIUM) Category: External Threat Intelligence
Evidence: - Source: The Hacker News article (2026-03-15): "OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration" - No CVE assigned - Directly relevant to this infrastructure (runs OpenClaw as primary agent framework) - Unable to fetch updated details — sandbox has no network access
Rationale: 3rd consecutive patrol without Ghost review. The article describes prompt injection and data exfiltration vulnerabilities in OpenClaw. Given this system runs autonomous agents with access to credentials (via Den), financial data (accounts), and communication channels (Signal, Gmail), this advisory deserves attention.
Action: Ghost must review the THN article and assess whether mitigations are needed. Check if OpenClaw has released a patched version.

SG-2026-03-18-009: No Git Remote — Local-Only Repository (INFORMATIONAL)

Severity: 2 (INFORMATIONAL) Category: Configuration
Evidence: - `.git/config` shows no `[remote]` section - `.git/refs/remotes/` does not exist - Current branch: `dev` - Repository is local-only with no push target
Impact: The workspace has no off-site code backup via git. The lifeboat backup (nightly encrypted zip to Google Drive) covers this, but git history/branches are local-only. A disk failure would lose all git history.
Rationale for rating 2: This is a design choice, not a vulnerability. The lifeboat provides data backup. Git remote would add redundancy for version history specifically.

Sandbox Limitations

The following checks could NOT be performed due to sandbox restrictions: - `lsof -i -P -n` (open ports) — BLOCKED - `ps aux` (process analysis) — BLOCKED - `fdesetup status` (FileVault encryption) — BLOCKED - `pgrep -x LuLu` (Lulu firewall) — BLOCKED - `docker ps` (container audit) — BLOCKED - `netstat` (network connections) — BLOCKED - `git remote -v` / `git log` — BLOCKED - `npm audit` — no package.json/node_modules in workspace - `launchctl list` — BLOCKED - SSH/auth log review — BLOCKED - Lulu firewall rule review — BLOCKED
Impact on coverage: Network exposure, process analysis, firewall state, disk encryption, and Docker container auditing are blind spots. These have been blind spots for all recent patrols due to the sandbox environment.

Threat Landscape

External Sources (unable to fetch — no network access)

| Source | Status | Last Checked | |--------|--------|-------------| | NVD (NIST) | Not checked | 2026-03-17 | | Node.js Security | Not checked | 2026-03-17 | | macOS Security Bulletins | Not checked | 2026-03-17 | | OpenClaw Advisories | Found via fridge (2026-03-15) | 2026-03-17 | | Signal CLI Issues | Not checked | 2026-03-17 |

Known Active Threats

1. OpenClaw prompt injection/exfiltration (THN 2026-03-15) — 3rd consecutive, no CVE 2. THN weekly recap (2026-03-17) mentioned: Chrome 0-days, Router Botnets, AWS Breach, Rogue AI Agents — unable to assess relevance without network access 3. Gmail OAuth 7-day token expiry — both adalsey and krspamgang expired due to Google Cloud project in "Testing" status

Risk Acceptance Notes

| Finding | Accepted Risk Match | Status | |---------|-------------------|--------| | SG-2026-03-18-007 (Cloudflare tunnel) | SG-2026-03-10-002 | ✅ Accepted, rated 3 | | Signal CLI on localhost:8080 | SG-2026-03-15-004 | ✅ Accepted (not re-tested) | | Brave remote debugging port | SG-2026-03-15-006 | ✅ Accepted (not re-tested) | | Chrome Remote Desktop | SG-2026-03-09-005 | ✅ Accepted (not re-tested) |

Resolution Tracker

Resolved This Patrol

- SG-2026-03-17-001: Fernet key — REDACTED in strengthen-medic.md ✅ - SG-2026-03-17-002: DO password (3 files) — REDACTED ✅ - SG-2026-03-17-003: Gmail password — REDACTED ✅ - SG-2026-03-17-004: Hetzner/VNC passwords — REDACTED ✅

Still Open

- World-readable session logs + memory files (3rd consecutive) - Stale FER monitor plist (11th consecutive) - OpenClaw advisory review pending (3rd consecutive) - Security Guard timeout failures (NEW — 5 consecutive) - Lifeboat credential co-location (NEW — architectural)

TRADING DASHBOARD

INNOVATIONS

RESEARCHER

Researcher Report — 2026-03-18

Phase 1: Tech Research

EAT (queued to fridge)

HOLD (notable but not fridged)

Phase 2: PaperTrader Experiments

Phase 2 Errors

Phase 3: Optimization Analysis

Session Model Usage (23 sessions, last 7d)

Researcher Budget History

Cron Model Routing Suggestions

Cost Optimization Opportunities

Phase 4: ClawHub Skill Scan

Budget Summary

AUTO AUDIT RESULTS

AUTOAUDIT Summary -- 2026-03-18

Findings

CRITICAL

WARNING

Carried Over

Resolved Since Last Audit

Past-Due Schedule Entries

Fired One-Shot Reminders

Step Completion Checklist

CAPABILITY QUEUE

PAPER TRADING

AGENT TRADER

POLYMARKET

SECURITY AUDIT