Jupiter Prediction Market
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is given the needed Jupiter API access and wallet-signature flow, it could affect prediction-market positions or account state, including creating or closing positions.
These methods expose order creation and position mutation to an agent. The surrounding artifacts describe autonomous trading workflows but do not add approval gates, spend limits, market scoping, or safe defaults around these write operations.
async create(orderData) { return this.post('/orders', orderData); } ... async closeAllPositions(ownerPubkey) { return this.delete('/positions', { ownerPubkey }); } ... async claim(positionPubkey, ownerPubkey) { return this.post(`/positions/${positionPubkey}/claim`, { ownerPubkey }); }Require explicit user confirmation for every trade or position-changing action, add spend and market limits, default to dry-run where possible, and keep wallet-signature review mandatory.
Users may not realize before installation that the skill requires and may locally store a Jupiter API key that authorizes API activity.
The skill reads a Jupiter API key from the environment or stores it in config/api-key.json. This is expected for the integration, but the registry metadata lists no required environment variables or primary credential.
if (process.env.JUPITER_API_KEY) { return process.env.JUPITER_API_KEY; } ... fs.writeFileSync(API_KEY_FILE, JSON.stringify({ jupiterApiKey: trimmedKey }, null, 2));Declare JUPITER_API_KEY as a credential in metadata and prefer secure secret storage or strict file permissions for config/api-key.json.
The demo/market manager code may fail at runtime or depend on unreviewed local helper files if users add them later.
The manifest does not include api_client.js or utils.js, so this module has missing local dependencies and cannot be fully reviewed from the supplied package contents.
const api = require('../api_client');
const { microUsdToUsd, calculateImpliedProbability, formatTimestamp } = require('../utils');Include the referenced helper files in the package, remove the stale module, or update the code to use the reviewed client utilities already present under src/.