Torch Prediction Market Kit
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed Solana prediction-market bot, but it can autonomously create markets and spend vault funds in a loop, so it needs careful review before use.
Install only if you understand this is not read-only: it can run continuously, create on-chain markets, and seed liquidity from a Torch vault. Use a disposable controller key, keep vault funding limited, pin or verify the installed package, protect markets.json from unauthorized edits, and revoke the linked wallet when you are done.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with a funded vault and a markets file, the bot can create markets and commit SOL according to that file.
The skill explicitly performs on-chain market creation and liquidity seeding autonomously, which can spend vault funds and mutate financial state without per-action review after startup.
This is not a read-only scanner. This is a fully operational market maker that generates its own keypair, verifies vault linkage, creates tokens, seeds liquidity, and resolves markets autonomously in a continuous loop.
Use only with a deliberately funded vault, tightly review markets.json before starting, start with minimal funds, and monitor the first cycles closely.
The code you install from npm may not exactly match the bundled/reviewed files, which matters because the bot can perform financial transactions.
The advertised npm install uses a version range rather than an exact pinned artifact; for a bot that signs Solana transactions, installing a different compatible release than the reviewed files is a material provenance risk.
"package": "torch-prediction-market-kit@^2.0.2"
Prefer an exact pinned version or a locally reviewed bundle, and verify package integrity before running with a vault-linked wallet.
Providing the wrong private key or linking an over-privileged wallet could expose funds or authorize unwanted vault actions.
The skill can use a Solana private key as a controller credential; this is disclosed and purpose-aligned, but it is sensitive and authorizes vault-linked actions.
"name": "SOLANA_PRIVATE_KEY", "description": "Disposable controller keypair ... Optional -- the bot generates a fresh keypair in-process if not provided", "sensitive": true
Use a fresh disposable controller keypair with minimal SOL for gas, do not use your main wallet, and revoke the wallet link when finished.
The bot may continue acting on newly pending or changed market definitions as long as the process remains running.
The code implements an indefinite background-style loop. This is disclosed and central to the bot, but users must understand it keeps operating until stopped.
while (true) { ... await marketCycle(connection, log, config.marketsPath, config.vaultCreator, agentKeypair); ... setTimeout(resolve, config.scanIntervalMs)Run it in a controlled environment, supervise logs, stop the process when not needed, and restrict who can modify the markets file.
A bad or unavailable external price feed could delay or incorrectly record a market outcome.
Market resolution can depend on a third-party public price API. This is disclosed and purpose-aligned, but incorrect or unavailable data can affect recorded outcomes.
Fetches current price from CoinGecko public API: GET https://api.coingecko.com/api/v3/simple/price?ids={asset}&vs_currencies=usdUse manual review for important resolutions and consider independent price checks before trusting automated outcomes.