permissionless prediction markets
v1.0.0Create, trade, and settle prediction markets on Base with any ERC20 collateral. Use when building prediction market infrastructure, running contests, crowdsourcing probability estimates, adding utility to tokens, or tapping into true information finance via market-based forecasting.
⭐ 1· 2.5k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (create/trade/settle prediction markets on Base) aligns with the included scripts and the pnp-evm SDK. However the registry metadata declares no required environment variables/credentials while SKILL.md and every script clearly require a PRIVATE_KEY (and optionally an RPC_URL). That metadata omission is an inconsistency.
Instruction Scope
SKILL.md and the scripts confine actions to market lifecycle operations (create, trade, settle, redeem) and RPC interactions with Base; they construct a PNPClient using an environment PRIVATE_KEY and call SDK methods. There are no hidden network endpoints or data-exfiltration calls. The instructions do explicitly recommend using type(uint256).max (infinite approvals), which is a normal UX choice for EVM apps but a security trade-off that users should understand.
Install Mechanism
This is effectively instruction-only from installer perspective (no install spec). Code files and a package.json are included; dependencies are standard npm packages (pnp-evm, ethers). There are no downloads from arbitrary URLs or extract operations. Running the scripts will use npx/ts-node and fetch npm packages at runtime (network activity) — expected but worth noting.
Credentials
The scripts require a PRIVATE_KEY env var (and optional RPC_URL). That credential is necessary for signing transactions on behalf of a wallet, so it is proportionate to the skill's purpose; however the registry metadata claimed 'Required env vars: none' which is incorrect. Requiring a raw private key is high-impact: whoever runs these scripts must understand they are giving the code the ability to sign arbitrary transactions with that key. The SKILL.md's encouragement of infinite ERC20 approvals further increases funds-exposure risk.
Persistence & Privilege
The skill does not request permanent/system-wide privileges: always:false, it is user-invocable, and there is no code that modifies other skill configs or system settings. It will only run when invoked and does not install persistent agents.
What to consider before installing
Before installing or running this skill: (1) treat the PRIVATE_KEY requirement as sensitive — prefer a dedicated signing key with only the funds you are willing to risk, or use a remote signing provider/hardware wallet if possible; do not paste your primary hot wallet key into environments you don't control. (2) The SKILL.md and scripts recommend 'infinite' ERC20 approvals (type(uint256).max) — this is common but increases risk if the PNP contracts or token approvals are ever abused; consider using limited approvals if you want tighter control. (3) The published metadata omitted the PRIVATE_KEY requirement — assume the scripts will need it. (4) Verify the contract addresses (PNP Factory, Fee Manager, token addresses) on BaseScan and confirm they match upstream project sources before transacting. (5) Review the pnp-evm npm package source (and package-lock) yourself or run in a sandbox with minimal funds; running via npx/ts-node will fetch code from npm at runtime. (6) Prefer a small test transaction first to confirm behavior and outcomes are as expected.Like a lobster shell, security has layers — review code before you run it.
latestvk979dkz88we4maxccxv3h42s4h80cc8e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.