CLAWLOGIC Trader
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its CLAWLOGIC trading purpose, but it can use a wallet private key to submit financial market transactions and relies on unpinned npm code, so it should be reviewed carefully before use.
Use this only with a dedicated low-funded CLAWLOGIC/Arbitrum Sepolia wallet, pin and review the SDK version, set strict trade and bond limits, require explicit approval before any transaction, and treat broadcasts as public.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses this key, it can sign market transactions and spend, lock, or risk wallet funds on the configured network.
The helper creates a signing client from a raw wallet private key. This is central to trading, but the registry metadata declares no required env vars or primary credential, so the wallet authority is under-surfaced to users.
const privateKey = process.env.AGENT_PRIVATE_KEY; ... return new ClawlogicClient(config, privateKey as `0x${string}`);Declare the wallet credential explicitly, use a dedicated low-funded wallet, and separate read-only analysis from transaction-signing operations.
A mistaken or overbroad agent action could create markets, place trades, or make assertions that lose funds or bonds.
When invoked, the helper immediately submits a wallet transaction using the supplied ETH amount. Related helpers also create markets and assert outcomes, but the artifacts do not show enforced user confirmation, max spend, or bond limits.
const txHash = await client.mintOutcomeTokens(marketId, weiAmount);
Require explicit per-transaction user approval and configure hard maximums for trade size, market seed liquidity, and assertion bond exposure.
A future or compromised package release could change the behavior of wallet or trading commands without the user realizing it.
The setup and tool examples fetch the SDK CLI at @latest. That unpinned runtime code is used for wallet initialization and market operations, while no install spec or lockfile pins the reviewed dependency version.
npx @clawlogic/sdk@latest clawlogic-agent init
Pin exact package versions, publish a lockfile or install spec, and review the SDK source before using it with a funded wallet.
Trade rationale, public wallet address, and optional session or transaction identifiers may be sent to the CLAWLOGIC web API or another configured endpoint.
The broadcast helper posts a payload including agent address, reasoning, confidence, and optional session or trade fields to a default or environment-configured endpoint. This is aligned with the broadcast feature, and the shown payload does not include the private key.
const response = await fetch(endpoint, { method: 'POST', headers, body: JSON.stringify(payload) });Only broadcast information intended to be public, verify the endpoint, and avoid placing secrets or private strategy details in the reasoning text.