Back to skill
Skillv1.0.5
ClawScan security
Aionmarket Trading · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 23, 2026, 12:16 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's runtime instructions require highly sensitive secrets (wallet private keys and an API key) and automated approval flows, but the registry metadata does not declare these requirements and the skill promotes auto-approving/auto-executing trades — the combination is inconsistent and risky.
- Guidance
- Key things to consider before installing: - There is a major metadata mismatch: the registry shows no required env vars but the SKILL.md requires AIONMARKET_API_KEY, WALLET_PRIVATE_KEY, and (optionally) SOLANA_PRIVATE_KEY. Ask the publisher to correct the registry and provide a source repository. - Never give your main wallet private key to third-party code you don't fully trust. Prefer a dedicated low-value wallet for automation, hardware signing, or a delegated API/key with limited scopes and withdrawal disabled. - The skill defaults to auto-approving spenders and auto-executing trades. If you need this skill, require manual confirmation for approvals or restrict it to testnet / small amounts until you audit the SDK. - Request the SDK source (aionmarket-sdk) and py-clob-client repository or PyPI package links; review their code or have a trusted engineer audit them before installing. Verify package signatures or checksums when available. - Do not store private keys in plaintext or in a repo. Use a secure secrets manager or environment injection at runtime; if you must use .env, ensure it’s excluded from version control and encrypted at rest. - If you proceed, set strict risk limits first (very small default trade amount, conservative maxTradeAmount, disable auto-approve), rotate keys after testing, and monitor all activity closely. - If the publisher cannot provide a verifiable source and dependency provenance, treat this skill as untrusted and avoid supplying real private keys or high-value API keys.
Review Dimensions
- Purpose & Capability
- concernThe SKILL.md clearly describes trading on AION Market/Polymarket/Kalshi and legitimately needs an API key and wallet private keys; however the registry metadata shows no required env vars or primary credential. That mismatch (registry claims 'none' while the instructions demand AIONMARKET_API_KEY, WALLET_PRIVATE_KEY, and SOLANA_PRIVATE_KEY) is an incoherence that prevents informed consent and safe installation.
- Instruction Scope
- concernThe instructions direct the agent to derive wallet addresses, derive and register CLOB credentials, auto-check balances/gas/allowance, and auto-approve spenders and approvals by default without user confirmation. They also mandate saving returned API keys and storing secrets in a local .env. Those behaviors go beyond passive guidance and grant broad operational authority over funds and signing flows — appropriate for a trading skill, but high-risk if the source isn't trustworthy or if automation is enabled without clear human gates.
- Install Mechanism
- noteThis is an instruction-only skill with no install spec or code files. The SKILL.md assumes Python packages (aionmarket-sdk, py-clob-client) must be installed, but the registry did not declare dependencies or provide a verified install source — this is reasonable for an instruction-only skill but reduces traceability and increases risk because the actual SDK provenance is unknown.
- Credentials
- concernThe sensitive environment variables the skill asks for (private keys and API key) are proportionate to the trading purpose, but they are not declared in the registry metadata. Requiring full wallet private keys (and instructing to store them in .env) is inherently dangerous; the skill should document least-privilege alternatives (e.g., hardware signing, delegated/limited API keys, testnet wallets) and clearly declare required env vars in the registry.
- Persistence & Privilege
- notealways is false and the skill does not request permanent platform-wide privileges. However, the SKILL.md's automation defaults (auto-approve, auto-execute, auto-register credentials, periodic get_briefing heartbeat) enable autonomous trading behaviors. Autonomous invocation combined with private key access and auto-approval increases blast radius — this is noteworthy but not a platform-level privilege misconfiguration.