Back to skill
Skillv2.0.4
ClawScan security
Openclaw Skill Publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 1:40 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested environment/configuration are consistent with a prob.trade Polymarket analytics + trading integration and do not request unrelated credentials or perform unexpected network calls.
- Guidance
- This skill appears to do what it says: analytics + trading via prob.trade. Before installing, ensure you only provide API keys created on app.prob.trade and understand the keys' scopes. The skill stores/reads keys from ~/.openclaw/skills/probtrade/config.yaml (plain text) or from environment variables — set file permissions (e.g., chmod 600) and avoid sharing the file. Because the agent can invoke the skill and the skill can place orders, only enable it for agents/users you trust and consider funding trades conservatively. If you need stronger isolation, keep keys in environment variables or revoke/regenerate them from the prob.trade dashboard if anything looks suspicious. Finally, verify prob.trade's API docs and key permissions on their site if you need to confirm there are no withdraw/transfer capabilities tied to your key.
Review Dimensions
- Purpose & Capability
- okName and description match required binaries (python3), required env vars (PROBTRADE_API_KEY/PROBTRADE_API_SECRET), and a config path for the prob.trade integration. All required items are necessary and proportional for a trading/analytics client.
- Instruction Scope
- okSKILL.md instructs the agent to read keys from env or ~/.openclaw/skills/probtrade/config.yaml and to call prob.trade public and trading APIs. The code only reads that config and environment variables, and it only contacts https://api.prob.trade — there are no instructions to read unrelated files, scan the system, or exfiltrate data.
- Install Mechanism
- okInstall spec is a brew formula for python@3 (to provide python3). This is a standard, low-risk install mechanism for a Python-based skill and matches the declared requirement.
- Credentials
- okThe skill requests exactly two API credentials (PROBTRADE_API_KEY, PROBTRADE_API_SECRET) and a single config path under ~/.openclaw/skills/probtrade. These are appropriate for a trading client that must sign requests with an HMAC secret.
- Persistence & Privilege
- okThe skill does not request always:true, does not alter other skills, and only stores/reads its own config path. Default autonomous invocation is allowed by platform policy but is not combined with extra privileges here.