ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wallet Balance Checker

v1.1.0

Check balances across Coinbase, Polymarket (Polygon USDC), Kalshi, and sportsbook accounts. Provides a unified capital view with low-balance alerts. Read-onl...

0· 47·0 current·0 all-time
by@rsquaredsolutions2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to check Coinbase, Polymarket (Polygon USDC), Kalshi, and sportsbook accounts, but the SKILL.md only contains a Coinbase balance-check implementation. Metadata also lists credentials for Kalshi and Polygon wallet/RPC, but no instructions use them — this is a clear mismatch between stated purpose and actual capability.
!
Instruction Scope
The runtime instructions contain a concrete Coinbase curl+jq script that computes an HMAC signature using openssl, reads COINBASE_API_KEY and COINBASE_API_SECRET, and queries api.coinbase.com. However, openssl (used in the script) is not listed in the required binaries, and there are no instructions for Polymarket/Kalshi/sportsbook despite those being advertised. The instructions therefore both omit needed runtime requirements and do not cover the advertised scope.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. That lowers installation risk.
!
Credentials
The skill requests sensitive credentials (Coinbase API key/secret, Kalshi API key, Polygon RPC URL, Polymarket wallet address) in its metadata. Requiring a Coinbase API secret is reasonable for Coinbase access, but Kalshi/Polygon credentials are declared yet unused in the provided instructions. Additionally, the registry summary at the top says 'Required env vars: none' which contradicts the SKILL.md — a concerning inconsistency when secrets are involved.
Persistence & Privilege
The skill does not request always:true and uses default invocation settings; it does not request persistent/privileged platform presence. No evidence it modifies other skills or writes global settings.
What to consider before installing
Do not supply sensitive API secrets or enable this skill until the inconsistencies are resolved. Ask the publisher for: (1) the full runtime instructions for Polymarket, Kalshi, and sportsbook integrations (the SKILL.md currently only implements Coinbase); (2) an explicit list of required binaries (the script uses openssl but openssl is not listed); and (3) confirmation of which environment variables are required (the registry summary claims none). If you test, use least-privilege, read-only API keys with scopes restricted to balance reads, run in an isolated environment, and rotate keys after testing. Prefer skills with a verifiable homepage/repository and a known publisher before providing secrets.

Like a lobster shell, security has layers — review code before you run it.

agentbetsvk97e6x0pwrnrvkgahsr5xk7t2x83k38fbettingvk97e6x0pwrnrvkgahsr5xk7t2x83k38flatestvk97e6x0pwrnrvkgahsr5xk7t2x83k38fopenclawvk97e6x0pwrnrvkgahsr5xk7t2x83k38fprediction-marketsvk97e6x0pwrnrvkgahsr5xk7t2x83k38fsports-bettingvk97e6x0pwrnrvkgahsr5xk7t2x83k38f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💰 Clawdis
Binscurl, jq

Comments