Back to skill
Skillv1.0.0
ClawScan security
Smart Agent Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 2:50 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and code are consistent with a Polymarket trading bot: it needs an AION_API_KEY and the aion-sdk, will scan markets and (optionally) place trades; no unrelated credentials, obfuscated endpoints, or unusual install mechanisms were found.
- Guidance
- This skill appears to do what it says, but trading bots have practical risks. Before installing: 1) Test thoroughly in dry-run mode (don't set --live or RUN_LIVE). 2) Create an AION API key with minimal permissions for testing and only enable trading permissions when you're confident. 3) Review and pin the 'aion-sdk' package source/version before installing. 4) Note the automaton cron will run every 15 minutes — disable scheduling if you don't want autonomous runs. 5) The shipped script as shown contains a coding error (a truncated call to args.trade_amoun) — review the full source before trusting live execution. If you want, I can point out the exact lines to fix or produce a safe checklist to audit the AION API calls and permissions.
Review Dimensions
- Purpose & Capability
- okName/description (Polymarket thesis trader) align with the declared dependency (aion-sdk), the required env var (AION_API_KEY), and the code which constructs an AionClient and calls market discovery and trade methods.
- Instruction Scope
- noteSKILL.md and the script limit their actions to market discovery, context checks, and trade execution via the AionClient. They read only the declared env vars and CLI flags. Note: the SKILL.md and code default to dry-run unless --live or RUN_LIVE=true is supplied, which is a safety-friendly default.
- Install Mechanism
- okThis is an instruction-only skill with a pip requirement for 'aion-sdk' declared in clawhub.json. There is no download-from-URL, no archive extraction, and no unexpected installers.
- Credentials
- noteThe only required secret is AION_API_KEY, which is appropriate for a trading skill that uses the AION SDK. You should verify the API key's permissions (limit to read-only unless live trading is intended) and consider using a key with minimal rights for testing.
- Persistence & Privilege
- noteclawhub.json config sets a cron (*/15 * * * *) and automaton.managed=true, so the skill is intended to run periodically. It is not 'always:true'. Because the skill can execute real trades if run with live mode/RUN_LIVE, ensure you are comfortable granting the AION API credential to an autonomously-scheduled task.