ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Uniclaw Skill

v0.1.19

Trade on UniClaw prediction markets. Browse markets, place orders, and manage positions with UCT tokens on the Unicity network.

0· 558·0 current·0 all-time
by@jvsteiner
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description match the code: scripts list markets, place orders, deposit/withdraw and use a Unicity wallet. However the implementation extracts the wallet mnemonic/private key from the Unicity data directory and accesses a hard-coded UNICITY_API_KEY by default — the key is unrelated to the simple act of placing signed market orders and is unexpected.
!
Instruction Scope
SKILL.md says the skill will use the shared Unicity wallet for identity/signing (true), but the runtime code explicitly reads ~/.openclaw/unicity/mnemonic.txt and accesses the Sphere SDK internal _identity.privateKey to obtain the raw private key. The documentation does not clearly warn that the skill will extract and use the raw private key and send signed requests to an external server (default https://api.uniclaw.app).
Install Mechanism
Install is a standard node dev dependency (tsx) via the package.json/package-lock; no arbitrary URL downloads or installers. Requiring npx/node is proportional to running the included TypeScript scripts.
!
Credentials
The skill declares no required env vars but will read wallet files by default. Critically, lib/wallet.ts supplies a default oracle API key (UNICITY_API_KEY) embedded in the source: 'sk_06365a9c44654841a366068bcfc68986'. An embedded secret in the code is unexpected and unexplained for the stated purpose and increases risk. The skill also contacts an external server (config.serverUrl defaulting to api.uniclaw.app) which the user must trust because signed requests (derived from their private key) will be sent there.
Persistence & Privilege
No always:true flag, no system-wide config modifications, and no declared persistent privileges. The skill runs on demand and does not request elevated platform privileges beyond filesystem reads of the Unicity wallet directory.
What to consider before installing
This skill will read your Unicity wallet files (mnemonic.txt) and extract the raw private key (via an internal _identity field) to sign requests to an external UniClaw server (default https://api.uniclaw.app). It also includes a hard-coded UNICITY_API_KEY in the code. Before installing: 1) Do NOT point this at a wallet that holds real funds; test with a throwaway/testnet wallet only. 2) Inspect or remove the hard-coded UNICITY_API_KEY or set UNICITY_API_KEY explicitly in your environment if you understand its use. 3) If you don't trust api.uniclaw.app, set UNICLAW_SERVER to a server you control (or audit the remote server endpoints) — the server will accept signed requests generated from your key. 4) Consider running the skill in an isolated environment (container or VM) and reviewing the Sphere SDK usage — accessing (sphere as any)._identity to read privateKey is fragile and risky. If you are uncomfortable exposing your private key or cannot audit the remote server, do not install or use this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cf08tc9v4dnz1bz28yxn0vx81ab0e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
Binsnpx, node

Install

Requires Node.js and npx
Bins: npx
npm i -g tsx

Comments