UniClaw Prediction Market
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for prediction-market trading, but it directly uses your Unicity wallet keys and can move or trade UCT tokens without built-in confirmation safeguards.
Review this skill carefully before installing. It appears aligned with prediction-market trading, and there is no evidence of hidden private-key exfiltration, but it can use your Unicity wallet authority to deposit, trade, cancel orders, and withdraw UCT. Use a separate low-balance wallet, confirm every trade or transfer manually, do not run the smoke test on a funded account, and only point UNICLAW_SERVER at a server you trust.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the skill is misused or compromised, it could authenticate as your wallet identity and authorize account actions tied to that wallet.
The skill reads the shared Unicity wallet mnemonic and then accesses Sphere's internal identity object to retrieve the raw private key. The artifacts do not show the raw key being sent away, but this gives the skill high-impact authority over the wallet identity.
const mnemonicPath = join(config.walletDataDir, 'mnemonic.txt'); ... readFileSync(mnemonicPath, 'utf-8').trim(); ... const fullIdentity = (sphere as any)._identity; ... return fullIdentity.privateKey;
Use a separate low-balance/testnet wallet, avoid storing significant funds in the shared wallet, and prefer a version that declares this credential access clearly and uses a safer SDK signing interface instead of extracting the raw private key.
A mistaken or unintended invocation could withdraw UCT to the wrong address or an attacker-controlled address.
The withdrawal command sends a signed withdrawal request to the UniClaw server for a user-supplied amount and address, with no confirmation prompt, address allowlist, or transfer limit in the script.
const result = await apiPost('/api/agent/withdraw', { amount: parseFloat(amount), recipientAddress: to }, privateKey);Require explicit human approval before withdrawals or deposits, verify destination addresses out of band, and use account-level limits where possible.
Running the smoke test on a funded account could create a real order, incur losses if filled, or cancel an existing order the user intended to keep.
The smoke test is not just read-only: it can place a market order and, if no test order ID is available, cancel the first existing open order it finds.
console.log(' Placing test order (YES @ 0.10, qty 1)...'); ... await apiPost(`/markets/${testMarket.id}/orders`, { side: 'yes', price: 0.10, quantity: 1 }, privateKey); ... const orderToCancel = placedOrderId ?? orders[0]?.id; ... await apiDelete(`/markets/${marketId}/orders/${orderToCancel}`, privateKey);Do not run the smoke test with a funded or production wallet. The developer should make smoke tests dry-run by default or isolate them to a dedicated test server/account.