Back to skill
Skillv2.0.5
ClawScan security
Openclaw Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 1:42 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, declared requirements, and runtime instructions are consistent with a Polymarket analytics & trading client that uses a local API key/secret to HMAC-sign requests to api.prob.trade.
- Guidance
- This skill appears coherent and implements local HMAC signing of requests to api.prob.trade. Before installing: 1) Confirm you trust the prob.trade service and the skill source (homepage and ClawHub links). 2) Store API keys only in the indicated config file or environment variables and avoid placing highly privileged credentials there; use account-level key controls (scopes/limits) if available. 3) Review the included files (lib/api_client.py and scripts/probtrade.py) yourself if you want extra assurance—they are small and readable. 4) If keys are ever exposed or you stop using the skill, revoke them from the prob.trade dashboard. If you require stronger isolation, run the skill in a sandboxed environment or separate account.
Review Dimensions
- Purpose & Capability
- okName/description (prob.trade analytics & trading) align with required binaries (python3), required env vars (PROBTRADE_API_KEY, PROBTRADE_API_SECRET), and the provided scripts. Requested files and config path (~/.openclaw/skills/probtrade/config.yaml) are appropriate for storing API credentials.
- Instruction Scope
- okSKILL.md instructs only running the included Python scripts and placing API keys in the declared config file. The included code performs only HTTP calls to api.prob.trade and local config/env reading; it does not attempt to read unrelated system paths or transmit data to unexpected endpoints.
- Install Mechanism
- okInstall spec is a brew formula for python@3 to provide python3. No downloads from untrusted hosts, no archive extraction, and the code uses only the Python standard library (urllib, hmac, hashlib).
- Credentials
- okThe skill requires exactly two credentials (PROBTRADE_API_KEY and PROBTRADE_API_SECRET) which are reasonable and necessary for trading. The code checks those env vars and a single config path; no unrelated secrets or additional service credentials are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent platform-wide privileges or modify other skills. Its behavior is limited to running the included scripts when invoked.