LuckyLobster
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for Polymarket trading, but it gives an agent persistent authority to trade, cancel, and redeem positions without visible limits or approval controls in the supplied artifacts.
Install only if you intentionally want an AI agent to access and trade through your Polymarket-related account. Before using it, verify how to revoke the API key, use a dedicated account or low balance, and require manual confirmation for every trade, cancellation, or redemption.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could place or manage real prediction-market trades, which can cause financial loss if used incorrectly or without user confirmation.
The skill exposes high-impact financial actions to the agent, and the metadata allows normal model invocation. The supplied artifacts do not show explicit approval or amount limits before placing or managing orders.
Description: Trade prediction markets on Polymarket. Search markets, place orders, and manage positions. ... disable-model-invocation: false
Use only with explicit trading instructions, require manual confirmation for every order, and avoid granting access to accounts with funds you cannot afford to risk.
A linked agent could read account trading information and execute, cancel, or redeem positions under the user's account authority.
The API key grants broad account authority including viewing positions and performing trading mutations. The provided artifacts do not show narrower scopes, per-agent permission choices, or spend controls.
All linked agents receive standard permissions: **read** (view markets/orders/positions), **trade** (buy/sell), **cancel** (cancel orders), and **redeem** (settle positions).
Confirm the provider offers revocation, account limits, and audit logs; consider using a dedicated low-balance account and revoke the key when not actively using the skill.
If the stored key is misused or the account is compromised, the agent's trading permissions may remain available across restarts.
Persistent credential storage is disclosed and purpose-aligned, but it extends the lifetime of the agent's access to a financially sensitive account.
Save the API key persistently so it survives restarts. It is only returned once. Use the `gateway` tool with `config.patch` to save it in the skill config
Store the key only in a trusted environment, rotate or revoke it when finished, and monitor account activity.