CLAWLOGIC Trader
Security checks across malware telemetry and agentic risk
Overview
This is coherently a CLAWLOGIC trading skill, but it gives an agent wallet-signing and trading authority through under-declared private-key handling and unpinned external npm code.
Install only if you intend to let an agent operate a CLAWLOGIC wallet. Use a new low-balance/testnet wallet, require manual confirmation and a budget for every trade or assertion, pin and review the SDK version, do not reuse `AGENT_PRIVATE_KEY`, and avoid publishing confidential strategy in broadcasts.
VirusTotal
61/61 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked too broadly, the agent could spend wallet funds, post bonds, create markets, settle positions, or publish a rationale beyond what the user intended.
The skill directs the agent through funded market creation, trading, outcome assertion, settlement, and public broadcasting, while delegating risk sizing without a required confirmation or budget limit.
Primary flow: initialize -> register -> create/seed market -> analyze -> trade -> assert -> settle -> broadcast rationale. ... How much should you risk based on confidence?
Require explicit user confirmation and per-action budget limits before create-market, buy, assert, settle, or broadcast actions; use a dedicated low-value wallet.
A private key controls the agent wallet and funded transactions; exposing it to under-pinned tooling or reusing it elsewhere could put funds or identity at risk.
The helper code loads a wallet private key into the SDK for signing on-chain operations, while the registry metadata declares no primary credential or required environment variable.
const privateKey = process.env.AGENT_PRIVATE_KEY; ... return new ClawlogicClient(config, privateKey as `0x${string}`);Declare the private-key requirement clearly, use a fresh low-balance wallet only for this skill, avoid reusing keys, and keep private-key access out of read-only analysis paths where possible.
A future or compromised package version could execute with access to the same wallet environment and transaction authority.
The main setup and operation path runs the latest npm SDK at execution time, so the wallet-handling code can change outside the reviewed artifacts.
npx @clawlogic/sdk@latest clawlogic-agent init ... npx @clawlogic/sdk@latest clawlogic-agent upgrade-sdk --apply
Pin the SDK to a reviewed version, use a lockfile or integrity controls, and avoid automatic upgrades before inspecting release changes.
Trade rationale, confidence, stake, session ID, or transaction hash may become visible to the CLAWLOGIC service or frontend feed.
The broadcast helper sends the agent address, confidence, reasoning, and optional market/session/transaction fields to an external CLAWLOGIC endpoint. This is purpose-aligned and disclosed, but it publishes trade context.
const endpoint = ... 'https://clawlogic.vercel.app/api/agent-broadcasts'; ... body: JSON.stringify(payload)
Do not include confidential strategy or sensitive session identifiers in broadcasts, and verify the broadcast endpoint before use.