permissionless prediction markets
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for prediction markets, but it needs review because it can sign real blockchain transactions, require a wallet private key, create persistent token approvals, and trade with weak default safeguards.
Use this only with a dedicated low-balance wallet, confirm every market/trade/settlement manually, set slippage limits, verify Base contract addresses, pin dependencies, and revoke token approvals when finished.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused, the agent or dependency code could sign transactions or leave token allowances that put more funds at risk than a single trade amount.
The skill requires a raw wallet private key and discloses unlimited ERC20 approvals, giving broad and persistent authority over wallet assets; this is not reflected in the registry's declared credential requirements.
export PRIVATE_KEY=<wallet_private_key> # Required ... Infinite approvals: The SDK uses `type(uint256).max` approvals
Use a dedicated wallet with limited funds, verify contract addresses, prefer finite approvals when possible, and revoke allowances after use.
A trade may execute at an unexpectedly poor price, especially in volatile or manipulated markets.
The trade script defaults minimum output to zero and then directly submits buy/sell transactions, which weakens slippage protection for financial actions.
minOut: parsed.minOut || "0" ... result = await client.trading.buy(args.conditionId, amount, args.outcome, minOut);
Require explicit user confirmation and set a nonzero --min-out value or other slippage bound before submitting trades.
A future dependency change or compromised package could affect how transactions are built or signed.
The scripts depend on npm packages using version ranges; those packages are central to wallet signing and blockchain transactions.
"dependencies": { "pnp-evm": "^0.1.2", "ethers": "^6.0.0" }, "devDependencies": { "ts-node": "^10.9.0" }Pin exact dependency versions, review lockfiles/package provenance, and run in a controlled environment before providing wallet credentials.