Moltmarkets Trader
v1.0.1Trade prediction markets on MoltMarkets intelligently. Use for screening markets, forming probability estimates, detecting edge, sizing positions with Kelly criterion, placing bets, creating markets, resolving markets, and tracking calibration. Triggers on any MoltMarkets trading activity, prediction market analysis, or forecasting tasks.
⭐ 1· 1.5k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's functionality (screening, creating, betting, resolving markets) matches the included scripts and external API calls. However, the package metadata declares no required credentials or config paths, while every script and the SKILL.md rely on a local secret file (~/secrets/moltmarkets-api-key). That discrepancy is incoherent: a MoltMarkets trading skill legitimately needs an API key, and it should be declared explicitly (environment var or config path).
Instruction Scope
SKILL.md and the included scripts instruct the agent to read a local secret file and perform network requests to api.zcombinator.io/molt and to public market APIs (Polymarket, Kalshi, Manifold). The scripts are narrowly scoped to market operations (screen, create, bet, resolve, check expiry) and do not attempt to read unrelated system files. The concern is that the runtime instructions expect a secret at a hard-coded path (~/secrets/moltmarkets-api-key) without telling the user in metadata how to provide it, which can hide credential use or surprise users.
Install Mechanism
There is no network install/download step and no package manager usage; this is instruction/script-only. The included scripts will be placed with the skill, which is typical for a script-based skill and lowers supply-chain risk compared with arbitrary remote downloads.
Credentials
The skill requires access to a MoltMarkets API key (used via cat ~/secrets/moltmarkets-api-key) but the skill registry metadata lists no required env vars or config paths and no primary credential. Requiring a local secret file rather than declaring a required environment variable is unexpected and disproportionate to the transparency a trading skill should provide. No other sensitive credentials are requested, and network targets are the trading API and public market APIs.
Persistence & Privilege
The skill does not request always: true, does not try to modify other skills, and does not perform any automatic installation steps or system-wide changes. Autonomous invocation is allowed by default but is not an additional privilege here.
What to consider before installing
This skill contains working scripts to trade and research prediction markets, but the package metadata fails to declare the credential it actually uses. Before installing or running it: (1) confirm the API host (https://api.zcombinator.io/molt) and that you trust that service and the skill author (source/homepage unknown); (2) be aware the scripts read your MoltMarkets API key from a hard-coded file path (~/secrets/moltmarkets-api-key) — either remove that file or supply a dedicated test key stored only for this skill; (3) prefer a skill that documents required credentials (env var or config path) in the registry rather than embedding a hidden file access; (4) review the scripts locally to ensure they meet your expectations (they only call public market APIs and the stated MoltMarkets API); and (5) if you proceed, run the skill in an isolated account or environment and avoid exposing any high-value production API keys until you confirm the endpoint and author are legitimate.Like a lobster shell, security has layers — review code before you run it.
latestvk977w4bwfzgpr828e95ywwdh9180k5dz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.