Lucky Lobster
WarnAudited by ClawScan on May 10, 2026.
Overview
Lucky Lobster is clearly a Polymarket trading skill, but it gives the agent persistent authority to trade, cancel, and redeem positions without visible per-trade guardrails in the provided artifact.
Review this carefully before installing. The skill appears purpose-aligned for Polymarket trading, but it should be treated like handing an agent access to a financial trading account. Use a dedicated revocable key, set strict trading limits outside the skill if available, require manual confirmation for every order, and monitor positions and open orders regularly.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could place or alter Polymarket trades, potentially causing financial loss if it misunderstands the user or acts too broadly.
Placing orders and managing positions are financial actions that can lose money or alter account holdings. In the provided visible artifact, this authority is not paired with clear confirmation, spend-limit, or rollback guidance.
Trade prediction markets on Polymarket. Search markets, place orders, and manage positions.
Use only with explicit user approval for each trade, clear maximum spend limits, and independent review of market, side, price, and quantity before submitting orders.
Anyone or any agent workflow with access to this key could view positions and perform trading-related actions within the linked account permissions.
The API key grants broad account authority, including financial mutation permissions, rather than a narrowly scoped read-only or per-action approval token.
All linked agents receive standard permissions: **read** (view markets/orders/positions), **trade** (buy/sell), **cancel** (cancel orders), and **redeem** (settle positions).
Prefer a dedicated, revocable key with the narrowest available permissions; monitor account activity; and revoke the key immediately if it is no longer needed or may have been exposed.
If the OpenClaw config or .env file is exposed, the LuckyLobster API key could be reused to access the linked trading account permissions.
Persistent storage is understandable for an API integration, but here the stored credential controls financial trading actions, so users should treat it as highly sensitive.
Save the API key persistently so it survives restarts. It is only returned once.
Store the key only in trusted secret storage when possible, avoid committing .env files, restrict local file access, and rotate the key if exposure is suspected.