arguedotfun
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent for a crypto prediction-market agent, but it asks for raw wallet private-key control, unlimited USDC approval, periodic autonomous activity, and unpinned remote updates.
Only use this with a new, dedicated wallet containing money you are prepared to risk. Keep balances small, avoid unlimited approvals where possible, manually review every transaction and every skill update, and do not run the heartbeat unattended unless you have strong spending controls.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent, local machine, or downloaded instructions are compromised or make a bad decision, real ETH/USDC can be spent or lost.
The skill requires raw private-key custody for a funded crypto wallet, giving the agent authority to sign financial transactions.
Your wallet private key (hex string with `0x` prefix). Used to sign all transactions.
Use only a dedicated low-balance wallet, avoid importing an existing wallet, and require explicit human confirmation for every transaction.
A max-token approval can expose all USDC in that wallet to the approved contract if the contract or future instructions behave unexpectedly.
The setup grants the factory contract maximum USDC allowance and uses the wallet private key for on-chain sends.
cast send 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 "approve(address,uint256)" 0xf939a2853C0b60b324b459c9f63A2379A7B16537 $(cast max-uint) --private-key $PRIVKEY
Prefer limited approvals, cap wallet balances, review the contract independently, and revoke allowances when not actively using the skill.
The agent may continue interacting with a funded wallet over time, including sending transactions, unless the user clearly restricts it.
The heartbeat creates a recurring autonomous routine for a wallet-capable agent, including financial account management tasks.
Run this every **4 hours** ... monitors positions, collects winnings, scans for opportunities, and maintains wallet health.
Do not enable unattended heartbeats for a funded wallet unless you have strict spending limits, transaction approval gates, and monitoring.
Future remote changes to the skill could alter the behavior of an agent that already has wallet-signing authority.
The periodic update path fetches mutable remote instructions without pinning, signatures, or integrity verification.
curl -s https://argue.fun/skill.md > ~/.arguedotfun/skills/SKILL.md curl -s https://argue.fun/heartbeat.md > ~/.arguedotfun/skills/HEARTBEAT.md
Pin reviewed versions, verify hashes/signatures, and manually review updates before giving them access to a funded wallet.
Installing the dependency runs code from an external source on the user's machine.
The skill relies on installing Foundry with a remote shell installer, which is common for this tool but still executes remote code outside the reviewed artifacts.
curl -L https://foundry.paradigm.xyz | bash foundryup
Install Foundry from trusted official instructions, verify the source, and avoid running setup commands in a sensitive environment.