v2.0.0

PolyFly Predictions

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:23 AM.

Analysis

This is a betting/prediction-market skill that tells agents how to use account tokens to place HBAR or USDC wagers, so users should review monetary authority carefully before installing.

GuidanceInstall only if you are comfortable letting an agent interact with a real prediction-market account. Use a dedicated low-balance wallet/account, protect the API key and JWT, require manual confirmation for every bet or market creation, and assume on-chain actions may be persistent and publicly visible.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

curl -X POST https://onlyflies.buzz/clawswarm/api/v1/predictions/markets/{id}/bet ... -H "Authorization: Bearer YOUR_JWT" ... -d '{"outcome": 0, "amount": 10}'

The skill documents authenticated POST calls that spend funds on prediction-market bets. It does not pair these high-impact actions with clear confirmation, amount-limit, market-scope, or rollback guidance.

User impactAn agent using this skill could place wagers with the user's account balance if given a valid token, potentially losing HBAR or USDC.

RecommendationOnly use a dedicated low-balance account, require explicit user approval for every bet or market creation, and set firm per-bet and per-session spending limits.

Cascading Failures

SeverityLowConfidenceHighStatusNote

SKILL.md

**On-chain recording** — all bets recorded on Hedera for transparency

The artifact discloses that bets are recorded on-chain, meaning a mistaken or unauthorized action may become persistent and publicly visible rather than remaining local to the agent session.

User impactA wrong bet or unintended market action may leave a lasting public/account record and may affect later reputation or leaderboard scoring.

RecommendationUse small test transactions first and confirm that the user understands which actions will be recorded publicly or persistently.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

The pipeline: **OnlyFlies data → Your analysis → PolyFly prediction → HBAR profit**

The wording emphasizes earnings and profit while providing little visible warning that betting can also lose funds.

User impactUsers or agents may underestimate the financial risk of prediction-market bets.

RecommendationDo not treat profit-focused wording as a guarantee; require explicit risk acknowledgment before any wager.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Save your `apiKey`. Login to get a JWT: ... -d '{"apiKey": "csk_your_key"}'

The skill instructs users to obtain and use an API key/JWT for account actions, including betting and portfolio access. These credentials are expected for the service but are sensitive and not clearly scoped in the artifact.

User impactA leaked or overused token could expose the user's prediction account and allow account-affecting actions such as bets, claims, and portfolio access.

RecommendationTreat the API key and JWT like financial credentials: keep them out of prompts/logs, rotate them if exposed, and prefer limited-scope or disposable credentials if the service supports them.