Jupiter Prediction Market
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a legitimate Jupiter prediction-market client, but it gives agents high-impact trading and position-management abilities without clear approval or risk-limit boundaries.
Install only if you intend to let an agent work with Jupiter Prediction Market data and trading workflows. Keep the API key private, require manual review/signature for every trade or position change, set strict exposure limits, and treat bulk close or automated trading actions as financially risky.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to a valid API key and signing flow, an agent could initiate or prepare trades, cancellations, claims, or position-closing actions that affect the user's money.
The client exposes financial market mutation methods as simple API calls, including creating orders and closing all positions. In the skill's autonomous trading context, the artifacts do not define confirmation, budget, risk-limit, or rollback controls around these actions.
async create(orderData) { return this.post('/orders', orderData); } ... async closeAllPositions(ownerPubkey) { return this.delete('/positions', { ownerPubkey }); }Use only with explicit per-action user approval, wallet signature review, dry-run modes, and strict limits on order size, total exposure, and bulk position changes.
Anyone who obtains the API key may be able to use the user's Jupiter API access depending on the key's permissions.
The skill reads a Jupiter API key from an environment variable or stores it in config/api-key.json. This is expected for the Jupiter integration, but it is sensitive account access and should be declared and protected.
if (process.env.JUPITER_API_KEY) { return process.env.JUPITER_API_KEY; } ... fs.writeFileSync(API_KEY_FILE, JSON.stringify({ jupiterApiKey: trimmedKey }, null, 2));Prefer environment-secret storage, do not commit config/api-key.json, use least-privilege/revocable API keys, and ensure the registry metadata declares JUPITER_API_KEY.
The demo or market-manager path may fail to run, or may depend on local code outside the reviewed package if such files are later supplied.
This bundled module references local files that are not present in the provided manifest, creating an incomplete review/functionality gap. There is no evidence those missing files are automatically executed.
const api = require('../api_client');
const { microUsdToUsd, calculateImpliedProbability, formatTimestamp } = require('../utils');Avoid using the market_manager/demo path until the missing referenced modules are included and reviewed, or remove the stale references.