ClawHub
Back to skill
v1.0.0

Lucky Lobster

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:24 AM.

Analysis

This skill is coherent for Polymarket trading, but it grants persistent, broad authority to trade, cancel, and redeem positions, so users should review it carefully before linking an account.

GuidanceOnly install this if you intentionally want an agent to help trade on Polymarket. Use a dedicated low-balance account, require explicit approval before every order or cancellation, protect the API key, and revoke access when finished.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
description: Trade prediction markets on Polymarket. Search markets, place orders, and manage positions.

The skill is explicitly designed to perform market-trading actions, including placing orders and managing positions. Those actions can spend funds or change financial exposure.

User impactIf enabled with a funded account, the agent could place or manage prediction-market trades that may lose money.
RecommendationUse only with explicit user confirmation for every trade, set conservative funding and account limits, and monitor open orders and positions.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata
Source: unknown; Homepage: https://luckylobster.io

The registry data does not identify a source repository or publisher provenance beyond the homepage. This is not evidence of malicious behavior, but provenance matters for a financial trading integration.

User impactThe user has limited independent provenance information before granting trading authority.
RecommendationVerify the provider and publisher through trusted channels before connecting a real account or funding it.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
All linked agents receive standard permissions: read (view markets/orders/positions), trade (buy/sell), cancel (cancel orders), and redeem (settle positions).

The API key grants broad account authority, including mutation permissions for trading, cancelling orders, and redeeming positions, rather than a narrowly scoped read-only or confirmation-limited token.

User impactA linked agent with this key can view account activity and perform trading operations on the user's behalf.
RecommendationPrefer a dedicated low-balance account or scoped key if available, revoke the key when not needed, and avoid sharing the key across unrelated agents or workspaces.
Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Save the API key persistently so it survives restarts. It is only returned once.

Persistent storage is a normal integration pattern, but here it preserves a credential with trading authority beyond a single session.

User impactAnyone or anything with access to the saved OpenClaw config or environment file may be able to use the LuckyLobster trading credential.
RecommendationStore the key only in a protected secrets mechanism, check file permissions, and rotate or revoke the key if the environment may be exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Base URL: https://luckylobster.io/api/agent/v1 ... Authorization: Bearer YOUR_API_KEY

The skill communicates with an external LuckyLobster API using a bearer token. This is disclosed and purpose-aligned, but users should recognize that trading requests and account-linked API calls go to that provider.

User impactLuckyLobster will receive authenticated requests associated with the linked trading account.
RecommendationReview LuckyLobster's trustworthiness and account controls before linking, and revoke access if you no longer use the skill.