ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jupiter Prediction Market

v0.1.0

Complete Node.js client for Jupiter Prediction Market API. Use when building AI agents for prediction market trading, portfolio management, or automated trad...

1· 237·0 current·0 all-time
byMoltBot@moltbotteam
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the code: this is a Node.js client exposing endpoints and scripts for scanning markets, managing positions, and claiming payouts. However the registry metadata declared no required env vars/credentials while the SKILL.md and code clearly expect a JUPITER_API_KEY (or a config/api-key.json). Also some source files (src/market_manager.js) reference modules with different paths (../api_client, ../utils) that are not present, indicating sloppy packaging or incomplete code.
!
Instruction Scope
SKILL.md instructs the agent to use an API key (JUPITER_API_KEY) or config/api-key.json and to run bundled scripts that perform market scanning, claiming, and trading workflows. The instructions mention transactions require user Solana wallet signatures, but the scripts and client do not include wallet signing integration — they only pass ownerPubkey strings to API endpoints. The skill's runtime instructions legitimately require access to an API key and may persist it locally; they do not ask for unrelated system files, but they are vague about how signing/authorization for on-chain actions is handled.
Install Mechanism
No install spec — instruction/code-only. package.json lists a single runtime dependency (cross-fetch) which is proportionate. There are no remote downloads or extract steps and no unusual external URLs in the repo, so installation risk is low from a supply-chain-download perspective. However the package will include code that performs filesystem operations (reading/writing config/api-key.json).
!
Credentials
Registry metadata declares no required environment variables, but both SKILL.md and src/utils/api-key.js expect JUPITER_API_KEY (process.env.JUPITER_API_KEY) or the config/api-key.json file. The ApiKeyManager can write the API key to disk (config/api-key.json) and read it; that is reasonable for a client library but the lack of declared env requirements in the metadata is an inconsistency. No other credentials are requested, and code does not attempt to read unrelated system credentials, but writing persistent API keys to the agent's working directory is a sensitive action that should be acknowledged.
!
Persistence & Privilege
always: false (good). But the code provides ApiKeyManager.setApiKey which writes config/api-key.json in process.cwd(), and ApiKeyManager.getApiKey will read from that file — so the skill can persist API credentials to disk. This is expected for a client library but is meaningful persistence within an agent environment and increases blast radius if an API key is misused. The skill does not request elevated system-wide privileges, but the ability to write a credentials file is noteworthy.
What to consider before installing
This skill largely implements a Jupiter Prediction Market client, but there are a few things to check before using it: - API key handling: The code expects a JUPITER_API_KEY environment variable or saves the key to config/api-key.json in the current working directory. The registry metadata does not declare this; assume the skill will read and may write an API key file. If you install it, avoid putting long-lived/privileged keys there — use a restricted/ephemeral key if possible. - Persistence: ApiKeyManager.setApiKey() writes config/api-key.json. That will persist secrets on disk under the agent's working directory. If you run this in a shared environment, consider running in an isolated sandbox or container and delete the file after use. - Missing/inconsistent files: src/market_manager.js requires '../api_client' and '../utils' paths that aren't present in the repo and contains mixed-language comments. This indicates the package may be incomplete or poorly packaged; test the scripts in a safe environment before relying on them. - Wallet signing: SKILL.md says transactions require user Solana wallet signatures, but the code does not implement signing flows. Do NOT provide private keys to this package. Confirm how on-chain actions are authorized (external wallet, hardware wallet, or separate signing process) before attempting to create/cancel trades or claim payouts. - Run in sandbox and review code: Because this skill can perform network requests and persist an API key, review the code yourself or run it in an isolated environment. Prefer ephemeral API keys, least-privilege credentials, and monitor network activity. If you don’t trust the author or need autonomous trading, consider a security review or use a vetted client instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d34b14jp7tc8aqvk31dhqhx82kz50

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments