UniClaw Prediction Market

Security checks across malware telemetry and agentic risk

Overview

UniClaw appears aligned with prediction-market trading, but it needs careful review because it uses wallet secrets and can move UCT without strong built-in safeguards.

Install only if you trust the UniClaw service and publisher. Use a dedicated low-balance or testnet Unicity wallet, verify UNICLAW_SERVER before use, and manually check all amounts and recipient addresses before deposits, trades, cancellations, or withdrawals. Avoid running the smoke test on a funded account unless you accept that it can affect live trading state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill performs security-sensitive actions involving environment variables and remote network access, but it does not declare permissions or prominently disclose those capabilities. In an agent setting, hidden network/env access weakens user consent and review, especially because the skill interacts with wallets, servers, and token transfers.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The described purpose understates materially sensitive behaviors: account registration, custodial deposit to a server, arbitrary-address withdrawals, and especially wallet mnemonic/private-key handling and fallback API key usage. When a trading skill also accesses secret key material or can transfer assets to remote infrastructure, incomplete disclosure becomes dangerous because users may authorize it under a narrower trust model than the code actually requires.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The function explicitly bypasses the SDK's public safety boundary by accessing the TypeScript-private `_identity` field to return the raw wallet private key. For a trading skill, exposing unrestricted key material is far more powerful than necessary and would allow any other code path in the skill or its dependencies to sign arbitrary transactions or exfiltrate the wallet secret, resulting in full wallet compromise.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: This script enables direct withdrawals to any address supplied on the command line, which materially expands the skill's effective capability beyond trading and position management into unrestricted fund transfer. In an agent setting, that broader authority is dangerous because a prompt injection, misconfiguration, or unintended invocation could exfiltrate wallet funds without an in-band policy check tied to the stated skill scope.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The deposit flow instructs users to send tokens directly to the UniClaw server without clearly warning that this transfers custody and creates counterparty risk. In a crypto context, moving funds from a local wallet to a centralized service changes the trust boundary and may expose users to loss, freezing, surveillance, or server compromise.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The withdrawal instructions permit sending funds to any address but omit clear warnings that blockchain transfers are irreversible and that address mistakes can permanently destroy funds. Because the skill is designed to move tokens, a missing caution materially increases the chance of user error or social-engineering-driven misdirection.

Missing User Warnings

High

Confidence: 88% confidence
Finding: The code reads the wallet mnemonic directly from a plaintext file on disk and uses it to restore the wallet, while the same module also exposes a raw private key accessor. In the context of a trading skill that manages real funds, handling seed material this way increases the blast radius of any local compromise, log leak, path misuse, or later code change that accesses the loaded wallet object.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The code embeds a fallback API key (`sk_...`) directly in source when `UNICITY_API_KEY` is not set, creating a hardcoded secret that can be extracted from the package and abused by anyone with code access. Even if the key is intended only for oracle access, hardcoded credentials undermine key rotation and accountability and may grant unauthorized use of backend services.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The withdrawal is submitted immediately after parsing arguments, with no confirmation prompt, no transaction preview, and no secondary approval step. That makes accidental or induced transfers significantly easier, especially for an agent-operated skill where arguments may be assembled from untrusted or ambiguous user input.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal