Clawstin Morning Paper

Track	Today	Total P&L	Notes
📈 Agent Trader	$+0.00	$-14.68	Swing, public.com
🎲 Polymarket	—	$-130.68	Structural arb, slow
Net (after tax + costs)	$-0.10		vs $10 target: $-10.10

Researcher Report — 2026-03-23

Run time: 2026-03-23 01:04 ET

Phase 1: Tech Research

Sources scanned: 578 items across HN + RSS feeds Candidates after scoring: 15 CBL evaluated: 15

EAT (queued to fridge)

- [EAT] Teaching Claude to QA a mobile app — _✅ queued_ - [EAT] A Framework for Formalizing LLM Agent Security — _✅ queued_ - [EAT] Autonoma: A Hierarchical Multi-Agent Framework for End-to-End Workflow Automation — _✅ queued_ - [EAT] Claude Code Security and Magecart: Getting the Threat Model Right — _✅ queued_ - [EAT] ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents & More — _✅ queued_ - [EAT] OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration — _✅ queued_ - [EAT] A Subgoal-driven Framework for Improving Long-Horizon LLM Agents — _✅ queued_ - [EAT] Utility-Guided Agent Orchestration for Efficient LLM Tool Use — _✅ queued_

HOLD (notable but not fridged)

- [HOLD] TTQ: Activation-Aware Test-Time Quantization to Accelerate LLM Inference On The Fly — - [HOLD] PlanTwin: Privacy-Preserving Planning Abstractions for Cloud-Assisted LLM Agents — - [HOLD] Automated Membership Inference Attacks: Discovering MIA Signal Computations using LLM Agents — - [HOLD] A comprehensive study of LLM-based argument classification: from Llama through DeepSeek to GPT-5.2 — - [HOLD] CLaRE-ty Amid Chaos: Quantifying Representational Entanglement to Predict Ripple Effects in LLM Editing — - _(and 2 more HOLD items)_

Phase 2: PaperTrader Experiments

_No snapshot data available for today._

Phase 2 Errors

- ⚠️ No snapshot for today — cannot analyze performance

Phase 3: Optimization Analysis

> _Stale files and cron health are auditor territory (autoaudit). This phase covers cost and model routing only._

Cost Optimization Suggestions

- bizbot (currently Opus): Evaluate if Sonnet or Haiku could handle this task — ~10-50x cost reduction per run - agent-trader-premarket (currently Opus): Evaluate if Sonnet or Haiku could handle this task — ~10-50x cost reduction per run

Cost Optimization Opportunities

- Opus referenced in 31 mentions across 29 sessions (39% of model refs) → Review Opus-heavy sessions — most tasks could run on Sonnet at ~10x lower cost _Up to ~10x on affected calls_

Phase 4: ClawHub Skill Scan

35 suspicious skill(s): - [SUSPICIOUS] mcp-skill — [SUSPICIOUS]
Multiple red flags present: zero downloads with new publication date (2026-01-26), vague description lacking implementation details, requests broad network access (web search, crawling, LinkedIn) and filesystem permissions typical of MCP server tools, no visible source code repository linked, and the skill name "mcp-skill" is generic without specificity about which MCP server or tools are actually provided. - [SUSPICIOUS] mcp-hass — [SUSPICIOUS]
Red flags present: (1) Zero downloads + new account (published 2026-02-10, 0 downloads), (2) No visible source code repository linked, (3) Requests network access to Home Assistant instances (potential attack surface for credential exfiltration or lateral movement into smart home infrastructure). - [SUSPICIOUS] openclaw-mcp-plugin — [SUSPICIOUS]
Red flags present: (1) Zero downloads + newly published account (2026-02-02), (2) No visible source code repository linked, (3) Requests broad network access and process spawning capabilities ("execute tools from configured MCP servers"), (4) Description is agent-directed ("Enable AI agents to discover and execute"), (5) Vague implementation details about what "configured MCP servers" means and how they're validated. - [SUSPICIOUS] atlassian-mcp — [SUSPICIOUS]
Multiple red flags: zero downloads + new author + requires Docker process spawning + requests external network access (Jira API credentials) + vague implementation details with no visible source code repository linked. - [SUSPICIOUS] clickup-mcp — [SUSPICIOUS]
Red flags: Zero downloads + newly published (2026-01-06), no visible source code repository link, requests OAuth authentication to external service (ClickUp), and the vague description lacks implementation details or security documentation typical of legitimate MCP skills. - [SUSPICIOUS] glin-profanity-mcp — [SUSPICIOUS]
Red flags: Zero downloads + new account (published 2026-02-01, author "thegdsks" appears to be first submission), no visible source code repository link provided, and the description is directed at AI agent use cases ("when AI needs content moderation capabilities") rather than describing the tool itself objectively. - [SUSPICIOUS] xiaohongshu-mcp-skill — [SUSPICIOUS]
Multiple red flags: zero downloads + newly published (2026-02-28), no visible source code repository linked, vague truncated description suggesting network/process access ("Operate Xiaohongshu via local MCP service"), and the skill requests interaction with an external social media platform which implies filesystem/network permissions outside a controlled workspace. - [SUSPICIOUS] mcp-client — [SUSPICIOUS]
Red flags: Zero downloads + new account (published 2026-02-22, author "nantes" with no history), no visible source code, vague description that doesn't specify what MCP endpoints/services it connects to, and the generic "connect to tools, data sources and services" phrasing lacks concrete implementation details needed for security assessment. - [SUSPICIOUS] wordpress-mcp — [SUSPICIOUS]
Red flags: Zero downloads + newly published (2026-02-10), no visible source code repository linked, vague permission model for "any WordPress admin task", and requests network access to WordPress sites plus filesystem operations (media management, post creation) without transparent scope documentation.
Not relevant to active projects (mcp/automation contexts would need verified implementation details). - [SUSPICIOUS] openclaw-mcp-debugger — [SUSPICIOUS]
Red flags present: (1) Zero downloads + newly published (2026-03-04), (2) No visible source code referenced, (3) Vague description cut off mid-sentence ("providing deep-..."), (4) Author handle "tmstudio667-commits" suggests automated/generic account creation, (5) Requests deep system diagnostics which typically require elevated permissions and network access.
Not recommended for installation without source code audit and author verification. - [SUSPICIOUS] automation-workflows — [SUSPICIOUS]
Red flags present: Zero downloads + newly published account (2026-02-06), no visible source code repository linked, vague implementation details for a complex skill, and description reads as agent instructions rather than technical documentation ("Use when identifying...", "Trigger on..."). - [SUSPICIOUS] ai-web-automation — [SUSPICIOUS]
Multiple red flags present: zero downloads with newly created account (2026-02-20), vague description lacking implementation details, requests broad permissions (multi-browser automation, filesystem access for form filling/scraping), and no visible source code available for inspection. - [SUSPICIOUS] automation-workflows-0-1-0 — [SUSPICIOUS]
Red flags: Zero downloads + new account (published 2026-02-07, author "lucasayala" with no visible reputation), no visible source code repository linked, and vague description that doesn't specify actual implementation details, permissions, or dependencies for the claimed automation tool integrations (Zapier, Make, n8n). - [SUSPICIOUS] agentic-workflow-automation — [SUSPICIOUS]
Multiple red flags present: zero downloads with very recent publication date (2026-02-26), vague/truncated description that doesn't fully explain functionality, author handle "0x-Professor" suggests minimal reputation/verification, no visible source code mentioned, and the skill name + description pattern (agentic workflow automation) combined with zero adoption suggests this could be a test payload or low-trust contribution.
Not recommended for integration without source code audit and author verification from ClawHub maintainers. - [SUSPICIOUS] ai-automation-workflows — [SUSPICIOUS]
Multiple red flags: zero downloads with very recent publication date (2026-02-05), vague description lacking implementation details, no visible source code repository link, and the description reads as capability statements rather than concrete documentation—typical of untrusted external content that could mask permission overreach or malicious behavior. - [SUSPICIOUS] afrexai-business-automation — [SUSPICIOUS]
Red flags: (1) Zero downloads + newly published (2026-02-13), (2) No visible source code repository linked, (3) Description is directive language aimed at an AI agent ("Turn your AI agent into..." / "Design, document, implement...") rather than neutral documentation of what the skill does, (4) Vague implementation claims ("no n8n or Zapier required") without explaining the actual mechanism, (5) Author account "1kalin" with no verifiable history. - [SUSPICIOUS] automation-tool — [SUSPICIOUS]
This skill exhibits multiple critical red flags: zero downloads from a newly created account (2026-03-08), vague description in Chinese offering "batch generation" without specifying implementation details, no visible source code, and the generic nature suggests potential for misuse in automated content manipulation or spam generation. - [SUSPICIOUS] afrexai-automation-strategy — [SUSPICIOUS]
Red flags: Zero downloads + brand new account (published 2026-02-19), vague description with truncation ("across any..."), no visible source code referenced, and the generic nature makes it impossible to assess what permissions or network access it actually requires. - [SUSPICIOUS] ai-ceo-automation — [SUSPICIOUS]
Red flags present: (1) Zero downloads + new account with future publish date (2026), (2) Vague description lacking technical specifics about what "fully automated company operations" means, (3) No visible source code link, (4) Description reads as a directive to an AI agent rather than technical documentation, (5) Requests for permissions/capabilities unclear but implied scope is dangerously broad. - [SUSPICIOUS] ai-web-automation-1-0-0 — [SUSPICIOUS]
Red flags: (1) Zero downloads + newly published account, (2) Requests network access and process spawning (Selenium/Puppeteer), (3) No visible source code repository linked, (4) Vague implementation details on retry/proxy handling, and (5) Description reads as a capability pitch rather than technical documentation. - [SUSPICIOUS] homelab-cluster — [SUSPICIOUS]
Zero downloads, newly published (2026-02-12), vague description lacking technical specifics, no visible source code, and requests infrastructure-level access (cluster management, health monitoring) that requires careful permission verification before deployment. - [SUSPICIOUS] truenas-skill — [SUSPICIOUS]
Red flags: No visible source code, zero downloads with newly published account (2026-02-09), requests network access to external TrueNAS API, and vague implementation details without transparency on authentication/permission handling. - [SUSPICIOUS] homeserver — [SUSPICIOUS]
This skill exhibits multiple critical red flags: zero downloads with a very recent publish date (2026-02-23), no visible source code repository, vague truncated description ending in "ba..." suggesting incomplete information, requests for sensitive permissions (filesystem access, process spawning, network operations including port scanning), and the author account "Higangssh" appears to have minimal reputation history.
Project relevance: Matches "homelab" and "monitoring" keywords, but trustworthiness concerns override relevance. - [SUSPICIOUS] pi-admin — [SUSPICIOUS]
Red flags present: (1) Zero downloads + new/recent publication date, (2) No visible source code accessible for review, (3) Requests system-level access (resource monitoring, service management, updates) which requires elevated permissions and filesystem access outside typical workspace boundaries, (4) Author account "TheSethRose" appears to be a new publisher with no verifiable history.
This skill requests dangerous permissions (process spawning, system service control, package updates) that warrant manual code review before any consideration. - [SUSPICIOUS] pi-health — [SUSPICIOUS]
Red flags: Zero downloads + new account (published 2026-02-09, 0 downloads), no visible source code repository linked, and the skill requires spawning processes to read system files (`/sys/class/thermal`, `/proc/cpuinfo`, etc.) which poses execution risk without transparent code review.
If proceeding: Relevant to homelab/Raspberry Pi monitoring projects, but source code audit required before installation. - [SUSPICIOUS] trading — [SUSPICIOUS]
Multiple red flags present: zero downloads with very recent publication date (2026-02-12), no visible source code indicated, vague description lacking implementation details, and "trading" matches a keyword but the skill's actual utility and safety profile cannot be verified without source code inspection. - [SUSPICIOUS] trading-devbox — [SUSPICIOUS]
Red flags present: (1) Zero downloads + newly published (2026-02-25), (2) No visible source code repository linked, (3) Description implies agent will execute arbitrary Python code generation ("agent writes a Python backtest strategy"), which creates code injection risk if user input isn't sanitized, (4) Requests execution capabilities that could spawn processes/filesystem access outside controlled sandbox. - [SUSPICIOUS] trading-brain — [SUSPICIOUS]
Red flags: Zero downloads + new account (published 2026-02-27), vague description offering to "load" undefined personal trading strategy without visible source code, requests to "guide aggressive trades" suggests execution of financial decisions, and description reads as directive to an AI agent ("Load...to guide...trades"). - [SUSPICIOUS] openmm-grid-trading — [SUSPICIOUS]
Red flags: Zero downloads + newly published (2026-02-25), no visible source code repository linked, vague technical description lacking implementation details, and "grid trading" strategies involve financial transactions requiring strict security validation that cannot be assured from metadata alone. - [SUSPICIOUS] auto-trading-strategy — [SUSPICIOUS]
Multiple critical red flags: zero downloads with very recent publication date (2026-03-13), new/unfamiliar author account (863king), vague description lacking technical implementation details, requests for sensitive capabilities (trading strategy execution, market prediction), and the skill offers financial/trading guidance which could facilitate harmful activities if compromised. - [SUSPICIOUS] kalshi-cli-trading — [SUSPICIOUS]
Multiple red flags: zero downloads + new account (published 2026-03-04), vague description ending mid-sentence ("place..."), no visible source code, and requests network access to external trading platform plus likely process spawning for CLI tool execution. - [SUSPICIOUS] futu-trading-bot — [SUSPICIOUS]
Red flags identified: (1) Zero downloads + newly published account, (2) No visible source code repository linked, (3) Requests real financial market access and trade execution capabilities with HK market data, (4) Vague implementation details for a high-risk financial application, (5) Author account appears to use auto-generated naming pattern typical of throwaway accounts.
This skill involves real trading operations on live markets, which requires exceptionally high trust and transparency — neither of which this submission demonstrates. - [SUSPICIOUS] finance-trading — [SUSPICIOUS]
Red flags identified: (1) Zero downloads + newly published (2026-03-17), (2) No visible source code repository linked, (3) Requests network access (trading API calls) and likely filesystem access (trade logging), (4) Author "Brioche-bit" has no verifiable history, (5) Description lacks specifics on API integrations, data sources, or security model for handling credentials.
Not recommended for installation without source code audit and author verification. - [SUSPICIOUS] trading-software-efficiency — [SUSPICIOUS]
Multiple red flags present: zero downloads, newly published account (2026 date anomaly), vague description without visible source code or implementation details, and the skill requests unspecified "custom functionality" which could involve filesystem or process access for trading software integration. - [SUSPICIOUS] skill-trading-journal — [SUSPICIOUS]
Red flags present: (1) Zero downloads with very recent publication date (2026-03-17), (2) vague/truncated description that doesn't specify implementation details or permissions, (3) no visible source code repository linked, (4) trading journal skills typically require persistent filesystem access and network calls which should be explicitly declared but are not mentioned.
Not a clear fit for active projects listed (mcp, homelab, raspberry pi infrastructure focus), and the opaque nature of external financial tracking tools presents both security and functional reliability concerns without source code

Budget Summary

Total spent: $0.0280 / $5.00 cap API calls: 50 Tokens: 18801 input + 3231 output
| Model | Input | Output | Cost | Note | |-------|-------|--------|------|------| | claude-haiku-4-5 | 247 | 26 | $0.000302 | CBL:TTQ: Activation-Aware Test-Time Quan | | claude-haiku-4-5 | 244 | 26 | $0.000299 | CBL:PlanTwin: Privacy-Preserving Plannin | | claude-haiku-4-5 | 243 | 21 | $0.000278 | CBL:Automated Membership Inference Attac | | claude-haiku-4-5 | 260 | 22 | $0.000296 | CBL:Teaching Claude to QA a mobile app | | claude-haiku-4-5 | 248 | 23 | $0.000290 | CBL:A comprehensive study of LLM-based a | | claude-haiku-4-5 | 254 | 24 | $0.000299 | CBL:CLaRE-ty Amid Chaos: Quantifying Rep | | claude-haiku-4-5 | 232 | 23 | $0.000278 | CBL:A Framework for Formalizing LLM Agen | | claude-haiku-4-5 | 242 | 25 | $0.000294 | CBL:Autonoma: A Hierarchical Multi-Agent | | claude-haiku-4-5 | 248 | 20 | $0.000278 | CBL:How Ceros Gives Security Teams Visib | | claude-haiku-4-5 | 249 | 21 | $0.000283 | CBL:Claude Code Security and Magecart: G | | claude-haiku-4-5 | 267 | 24 | $0.000310 | CBL:⚡ Weekly Recap: Chrome 0-Days, Route | | claude-haiku-4-5 | 257 | 23 | $0.000298 | CBL:OpenClaw AI Agent Flaws Could Enable | | claude-haiku-4-5 | 241 | 29 | $0.000309 | CBL:PowerLens: Taming LLM Agents for Saf | | claude-haiku-4-5 | 240 | 24 | $0.000288 | CBL:A Subgoal-driven Framework for Impro | | claude-haiku-4-5 | 237 | 22 | $0.000278 | CBL:Utility-Guided Agent Orchestration f | | claude-haiku-4-5 | 418 | 90 | $0.000694 | ClawHub:mcp-skill | | claude-haiku-4-5 | 407 | 74 | $0.000622 | ClawHub:mcp-hass | | claude-haiku-4-5 | 436 | 101 | $0.000753 | ClawHub:openclaw-mcp-plugin | | claude-haiku-4-5 | 468 | 48 | $0.000566 | ClawHub:atlassian-mcp | | claude-haiku-4-5 | 416 | 60 | $0.000573 | ClawHub:clickup-mcp | | claude-haiku-4-5 | 450 | 75 | $0.000660 | ClawHub:glin-profanity-mcp | | claude-haiku-4-5 | 449 | 79 | $0.000675 | ClawHub:xiaohongshu-mcp-skill | | claude-haiku-4-5 | 404 | 84 | $0.000659 | ClawHub:mcp-client | | claude-haiku-4-5 | 476 | 82 | $0.000709 | ClawHub:wordpress-mcp | | claude-haiku-4-5 | 427 | 106 | $0.000766 | ClawHub:openclaw-mcp-debugger | | claude-haiku-4-5 | 495 | 64 | $0.000652 | ClawHub:automation-workflows | | claude-haiku-4-5 | 420 | 61 | $0.000580 | ClawHub:ai-web-automation | | claude-haiku-4-5 | 506 | 79 | $0.000721 | ClawHub:automation-workflows-0-1-0 | | claude-haiku-4-5 | 429 | 112 | $0.000791 | ClawHub:agentic-workflow-automation | | claude-haiku-4-5 | 420 | 71 | $0.000620 | ClawHub:ai-automation-workflows | | claude-haiku-4-5 | 439 | 116 | $0.000815 | ClawHub:afrexai-business-automation | | claude-haiku-4-5 | 414 | 69 | $0.000607 | ClawHub:automation-tool | | claude-haiku-4-5 | 427 | 62 | $0.000590 | ClawHub:afrexai-automation-strategy | | claude-haiku-4-5 | 401 | 94 | $0.000697 | ClawHub:ai-ceo-automation | | claude-haiku-4-5 | 436 | 80 | $0.000669 | ClawHub:ai-web-automation-1-0-0 | | claude-haiku-4-5 | 410 | 55 | $0.000548 | ClawHub:homelab-cluster | | claude-haiku-4-5 | 459 | 55 | $0.000587 | ClawHub:truenas-skill | | claude-haiku-4-5 | 425 | 116 | $0.000804 | ClawHub:homeserver | | claude-haiku-4-5 | 405 | 116 | $0.000788 | ClawHub:pi-admin | | claude-haiku-4-5 | 466 | 100 | $0.000773 | ClawHub:pi-health | | claude-haiku-4-5 | 409 | 65 | $0.000587 | ClawHub:trading | | claude-haiku-4-5 | 413 | 90 | $0.000690 | ClawHub:trading-devbox | | claude-haiku-4-5 | 414 | 73 | $0.000623 | ClawHub:trading-brain | | claude-haiku-4-5 | 416 | 60 | $0.000573 | ClawHub:openmm-grid-trading | | claude-haiku-4-5 | 410 | 76 | $0.000632 | ClawHub:auto-trading-strategy | | claude-haiku-4-5 | 426 | 61 | $0.000585 | ClawHub:kalshi-cli-trading | | claude-haiku-4-5 | 419 | 113 | $0.000787 | ClawHub:futu-trading-bot | | claude-haiku-4-5 | 427 | 110 | $0.000782 | ClawHub:finance-trading | | claude-haiku-4-5 | 426 | 61 | $0.000585 | ClawHub:trading-software-efficiency | | claude-haiku-4-5 | 429 | 120 | $0.000823 | ClawHub:skill-trading-journal |

Model	Portfolio Value	P/L	Cash	Holdings
MACD+RSI	$966.44	$-33.56 (-3.4%)	$521.05	MSTR 1.1148sh @$134.55, CRM 0.7494sh @$196.89, GOOGL 0.4798sh @$308.14
Momentum EMA	$993.01	$-6.99 (-0.7%)	$993.01	Cash only
Rocket Rider	$1159.43	+$159.43 (+15.9%)	$1159.43	Cash only
News Sentiment	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Sector Surfer	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Earnings Stalker	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Fear Eater	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Unusual Volume	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Gap Trader	$988.76	$-11.24 (-1.1%)	$690.52	ADBE 0.6013sh @$249.44, MSTR 1.1028sh @$134.43
Consolidation Bomber	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Trump Whisperer	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Capitol Copycat	$999.37	$-0.63 (-0.1%)	$899.37	VST 0.6314sh @$158.38
Dual Momentum	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Squeeze Breakout	N/A	N/A	N/A	—
52wk High	N/A	N/A	N/A	—
Donchian Turtle	$986.94	$-13.06 (-1.3%)	$986.94	Cash only
Williams %R	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
KAMA Adaptive	$969.82	$-30.18 (-3.0%)	$671.39	GOOGL 0.4886sh @$307.35, CRM 0.7530sh @$196.89
Triple MA	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Insider Buyer	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Index Rider	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
FDA Catalyst	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Sprint Rider	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Trend Reversion	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Sector Rotator	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Volume Breakout	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
Dual Timeframe	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only

Market	Side	Entry	Bet	Ends
Weed rescheduled by June 30?	YES	0.170	$66.66	2026-03-31
MegaETH market cap (FDV) >$6B one day after launch?	YES	0.017	$53.33	2026-06-30
Netanyahu out by June 30?	YES	0.145	$53.33	2026-12-31
Foreign intervention in Gaza by March 31?	YES	0.030	$42.67	2026-03-31
Foreign intervention in Gaza by April 30?	YES	0.160	$42.67	2026-03-31
Foreign intervention in Gaza by June 30?	YES	0.380	$42.66	2026-03-31
Will Thomas Murphy be the Republican nominee for Senate in S	YES	0.003	$34.13	2026-06-09
Weed rescheduled by December 31?	YES	0.473	$34.13	2026-03-31
Will Israel launch a major ground offensive in Gaza by March	YES	0.038	$27.31	2025-10-31
Will Israel launch a major ground offensive in Gaza by June	YES	0.130	$27.31	2025-10-31
Will Israel launch a major ground offensive in Gaza by Decem	YES	0.310	$27.30	2025-10-31
Will Russia capture Kostyantynivka by March 31?	YES	0.050	$51.82	2026-03-31
Will Trump visit China by April 30?	YES	0.125	$25.89	2026-04-30
Weed rescheduled by March 31?	YES	0.005	$61.28	2026-03-31
Will GPT-6 be released by March 31, 2026?	YES	0.003	$22.67	2025-12-31

Security Guard Report — 2026-03-23

Run time: 2026-03-23 approximately 03:35 AM EDT AutoAudit verified: YES — autoaudit-latest.md dated 2026-03-23 confirmed Sandbox: lsof, pgrep, fdesetup, netstat, git, log blocked by allowlist External intel: No network access. All 5 sources unavailable (sandbox_no_network_access).

Executive Summary

| Sev | ID | Title | Status | |---|---|---|---| | 9 | SG-2026-03-23-001 | Gmail OAuth tokens world-readable — 3 accounts + client secret exposed | NEW | | 9 | SG-2026-03-21-001 | Third-party API credentials in git history | Carried over | | RESOLVED | SG-2026-03-21-002 | Ollama all-interfaces binding fixed | RESOLVED | | 3 | SG-2026-03-23-002 | FER monitor plist on disk — 16th consecutive day | Carried over | | 2 | SG-2026-03-23-003 | balance-alert-pending.txt world-readable | Carried over |
Signal alert sent for SG-2026-03-23-001 (new Severity 9). SG-2026-03-21-001 was signaled 2026-03-21 — not re-signaled.

Detailed Findings

SG-2026-03-23-001: Gmail OAuth Tokens World-Readable — 3 Accounts + OAuth Client Secret

Severity: 9 — HIGH | NEW | Not previously reported or accepted

Description

Three live Gmail OAuth token files in ~/.openclaw/gmail/ carry world-readable permissions (-rw-r--r--). The parent directory is world-executable (drwxr-xr-x). All three contain live bearer and refresh tokens. One file (token-clawstinai.json) additionally exposes the OAuth client_secret.
These are the operational in-use copies. This is NOT covered by accepted risk SG-2026-03-18-001. That acceptance specifically covers the lifeboat copies in lifeboat-system/gmail-tokens/ (confirmed mode 600 in mode 700 directory — correctly protected). The operational copies in ~/.openclaw/gmail/ are a separate directory not examined in that acceptance.

Evidence

``` stat ~/.openclaw/gmail/token-adalsey.json Mode: -rw-r--r-- Size: 721 bytes Modified: Mar 22 11:15:48 2026
stat ~/.openclaw/gmail/token-krspamgang.json Mode: -rw-r--r-- Size: 721 bytes Modified: Mar 22 11:18:11 2026
stat ~/.openclaw/gmail/token-clawstinai.json Mode: -rw-r--r-- Size: 695 bytes Modified: Mar 10 10:31:14 2026
stat ~/.openclaw/gmail/ (directory) Mode: drwxr-xr-x 62 entries
grep "refresh_token" on each file: CONFIRMED PRESENT (values redacted) head token-clawstinai.json: refresh_token field: [REDACTED] access_token field: [REDACTED] client_secret field: [REDACTED] token_uri: https://oauth2.googleapis.com/token
Lifeboat copies (confirmed correctly protected per SG-2026-03-18-001 scope): lifeboat-system/gmail-tokens/token-adalsey.json Mode: -rw------- (600) CORRECT lifeboat-system/gmail-tokens/ (directory) Mode: drwx------ (700) CORRECT ```
Tokens for adalsey and krspamgang were refreshed as recently as Mar 22 11:15-11:18 AM. Confirmed live and active.

Impact

- Stolen refresh token (adalsey or krspamgang): full Gmail read and send access as Ghost; survives password changes; requires explicit Google Account revocation - OAuth client_secret exposure (clawstinai): enables forging new authorization code flows as the registered application; combined with the refresh token yields an independently renewable session - Attack vector: any local process (including sandboxed Brave renderers, LaunchServices helpers) can read world-readable files without privilege escalation; parent directory is world-traversable

Why SG-2026-03-18-001 Does Not Apply

That acceptance described tokens as "owner-only (600) in 700 dirs" — accurately describing lifeboat-system/ only. The ~/.openclaw/gmail/ directory was not assessed in that acceptance and is not owner-only. Two distinct locations, two distinct permission states.

Rationale for Rating 9

Per danger rubric: "Plaintext credentials stored insecurely (not exposed externally but accessible locally without privilege)" = Severity 9. Tokens are live (refreshed within 24 hours). No privilege escalation required. Impact = full email account compromise for Ghost's primary address.

Remediation

``` chmod 600 ~/.openclaw/gmail/token-adalsey.json chmod 600 ~/.openclaw/gmail/token-krspamgang.json chmod 600 ~/.openclaw/gmail/token-clawstinai.json chmod 700 ~/.openclaw/gmail/ ``` Optional: evaluate whether the client_secret exposure in token-clawstinai.json warrants rotating the OAuth application credentials in Google Cloud Console.

SG-2026-03-21-001: Third-Party API Credentials — Git History Persistence

Severity: 9 — HIGH | Carried over | Previously signaled 2026-03-21

Update Today

The credential-containing files are no longer present in the workspace working directory: ``` find /Users/aicomputer/.openclaw/workspace -name "voice-call-config*" → (no output) ```
Partial remediation. Remaining concerns: - git command blocked by sandbox — git filter-repo purge status unverifiable - .git/objects/ may still contain commits referencing these files - Lifeboat ZIP files created before deletion contain these files - Third-party API credentials (Twilio authToken [REDACTED], ElevenLabs key [REDACTED]) should be rotated
Rating 9 maintained until Ghost confirms: (1) credentials rotated at providers, (2) git history status resolved.

SG-2026-03-21-002 — RESOLVED: Ollama Binding Corrected to 127.0.0.1

Previous Severity: 7 | RESOLVED as of 2026-03-23
``` cat /Users/aicomputer/Library/LaunchAgents/com.ollama.ollama.plist OLLAMA_HOST environment variable: 127.0.0.1:11434 (was previously 0.0.0.0:11434 — corrected)
ps aux | grep ollama → PID 85458 started 11:34AM March 23 (after plist correction) ```
All-interfaces binding eliminated. Ollama accessible from localhost only. No further action needed.

SG-2026-03-23-002: FER Monitor Plist On Disk — 16th Consecutive Day

Severity: 3 — LOW
``` Path: /Users/aicomputer/Library/LaunchAgents/clawstin.fer-monitor.plist Mode: -rw-r--r-- 923 bytes Created: Feb 26 21:37:53 2026 launchctl: exit code 2, no PID (not loaded into launchd) ```
Stale non-functional plist. AutoAudit 2026-03-23 confirms: "only file deletion remains." No active execution path. No security impact. Rating 3 (cosmetic hygiene).

SG-2026-03-23-003: balance-alert-pending.txt World-Readable

Severity: 2 — LOW
``` Path: /Users/aicomputer/.openclaw/workspace/state/balance-alert-pending.txt Mode: -rw-r--r-- 157 bytes Modified: Mar 22 23:01:50 2026 Content: Anthropic balance estimate and burn rate message — no credentials present ```
World-readable but contains no sensitive data. AutoAudit smoke tests all pass — stale cached alert, not active emergency. Rating 2 (minor hardening: chmod 640 sufficient).

System State Summary

Processes (Step 3.4)

All observed processes are expected: - PID 34746: openclaw-gateway (LaunchAgent, KeepAlive) - PID 34719: LuLu firewall (confirmed running) - PID 34714: cloudflared tunnel (clawstin) - PID 34701: Python http.server port 8877 (accepted SG-2026-03-10-002) - PID 85458: ollama serve (127.0.0.1 confirmed — resolved) - PID 34704: Chrome Remote Desktop (accepted SG-2026-03-09-005) - PID 2412: security-guard-invoke.py (this run) - Multiple Brave Browser renderers with --remote-debugging-port=18800 (accepted SG-2026-03-15-006)
No unexpected processes. No ngrok or unknown outbound agents detected.

Network Exposure (Step 3.1)

lsof and netstat blocked by sandbox. Inferred from process inspection: - Port 8877: static site server (accepted SG-2026-03-10-002) - Port 18789: openclaw-gateway localhost - Port 18800: Brave CDP localhost (accepted SG-2026-03-15-006) - Port 8080: signal-cli localhost (accepted SG-2026-03-15-004, per prior runs) - Port 11434: Ollama 127.0.0.1 (confirmed resolved) - Cloudflare: outbound tunnel only
No new unexpected services.

Credential Scan (Step 3.3)

| Location | Result | |---|---| | ~/.openclaw/gmail/token-adalsey.json | Live OAuth tokens world-readable — SG-2026-03-23-001 | | ~/.openclaw/gmail/token-krspamgang.json | Live OAuth tokens world-readable — SG-2026-03-23-001 | | ~/.openclaw/gmail/token-clawstinai.json | Live OAuth tokens + client_secret world-readable — SG-2026-03-23-001 | | workspace/ voice-call-config files | Removed from working tree — git history unverified | | workspace scripts (.py, .sh) | Credential references only — excluded per rubric | | workspace logs | No API key patterns in accessible log files | | /tmp/.token, .key, *.secret | None found | | workspace state/*.json files | No credential patterns found | | CREDENTIALS.md | References to credential store only — no raw values |

LuLu Firewall (Step 3.9)

LuLu confirmed running PID 34719. Severity 8 threshold not triggered. Rules and block log unverifiable (plutil and log commands blocked by sandbox).

Full Disk Encryption (Step 3.6)

fdesetup blocked by sandbox. FileVault was confirmed enabled in all prior Security Guard runs. No indication of change.

Git Remote (Step 3.7)

git blocked by sandbox. Prior scan confirmed workspace has no git remote configured — local-only repository. Consistent with SG-2026-03-20-008 (informational).

OpenSSL / Dependencies

OpenSSL 3.6.1 (2026-01-27) — current. No known CVEs. npm audit: Not applicable (no package-lock.json at workspace root).

External Threat Intelligence (Step 2)

All 5 external sources unavailable (sandbox_no_network_access): - NVD NIST: not_checked - Node.js Security Advisories: not_checked - macOS Security Bulletins: not_checked - OpenClaw Advisories: accepted_risk (SG-2026-03-18-002, permanent accept) - Signal CLI Issues: not_checked
No new external intelligence this run. Status unchanged from 2026-03-21.

Accepted Risks — Today's Status

| ID | Risk | Today | |---|---|---| | SG-2026-03-09-005 | Chrome Remote Desktop | PID 34704 confirmed — not re-escalated | | SG-2026-03-10-002 | http.server port 8877 + Cloudflare | PIDs confirmed — not re-escalated | | SG-2026-03-15-004 | Signal-CLI localhost:8080 | Prior acceptance stands | | SG-2026-03-15-006 | Brave CDP port 18800 | Confirmed in process args — not re-escalated | | SG-2026-03-18-001 | Lifeboat plaintext credentials | lifeboat-system/ confirmed 600/700 — valid for lifeboat scope only | | SG-2026-03-18-002 | OpenClaw prompt injection | Permanent accept — no change |
SCOPE BOUNDARY: SG-2026-03-18-001 covers lifeboat-system/ only. The ~/.openclaw/gmail/ operational tokens are outside that scope. SG-2026-03-23-001 is a new, unaccepted finding.

Resolution Tracking

| Finding | Previous | Today | |---|---|---| | SG-2026-03-21-002 (Ollama binding) | Severity 7 | RESOLVED — 127.0.0.1 confirmed | | SG-2026-03-21-001 (API credentials) | Severity 9 | Files removed from working tree; git history unverified | | SG-2026-03-21-005 (balance-alert) | Severity 2 | Persists as SG-2026-03-23-003 | | SG-2026-03-21-003 (FER plist) | Severity 3 | Persists as SG-2026-03-23-002 (16th day) |

Security Guard — Read-only sweep. No modifications made to any system files. All credential values redacted per mandatory policy. 2026-03-23 approximately 03:35 AM EDT

TRADING DASHBOARD

INNOVATIONS

RESEARCHER