permissionless prediction markets
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: create-prediction-markets Version: 1.0.0 The skill bundle provides CLI tools and SDK documentation for interacting with a prediction market dApp on the Base blockchain. It requires a `PRIVATE_KEY` environment variable for signing blockchain transactions, which is standard for dApps, but there is no evidence of this key being exfiltrated or misused. All operations described in the `SKILL.md` and implemented in the TypeScript scripts (`scripts/*.ts`) are legitimate blockchain interactions (create, trade, settle, redeem markets). The markdown instructions are purely functional and do not contain any prompt injection attempts or instructions for malicious behavior. Dependencies listed in `scripts/package.json` are standard for EVM development.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused, the agent or dependency code could sign transactions or leave token allowances that put more funds at risk than a single trade amount.
The skill requires a raw wallet private key and discloses unlimited ERC20 approvals, giving broad and persistent authority over wallet assets; this is not reflected in the registry's declared credential requirements.
export PRIVATE_KEY=<wallet_private_key> # Required ... Infinite approvals: The SDK uses `type(uint256).max` approvals
Use a dedicated wallet with limited funds, verify contract addresses, prefer finite approvals when possible, and revoke allowances after use.
A trade may execute at an unexpectedly poor price, especially in volatile or manipulated markets.
The trade script defaults minimum output to zero and then directly submits buy/sell transactions, which weakens slippage protection for financial actions.
minOut: parsed.minOut || "0" ... result = await client.trading.buy(args.conditionId, amount, args.outcome, minOut);
Require explicit user confirmation and set a nonzero --min-out value or other slippage bound before submitting trades.
A future dependency change or compromised package could affect how transactions are built or signed.
The scripts depend on npm packages using version ranges; those packages are central to wallet signing and blockchain transactions.
"dependencies": { "pnp-evm": "^0.1.2", "ethers": "^6.0.0" }, "devDependencies": { "ts-node": "^10.9.0" }Pin exact dependency versions, review lockfiles/package provenance, and run in a controlled environment before providing wallet credentials.