Back to skill
Skillv0.7.0
ClawScan security
Wick Arena Trading / Multi-Platform (Hyperliquid/Polymarket/Kalshi) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 12, 2026, 8:28 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only guide for a simulated trading arena API and its requested actions and resources are consistent with that purpose.
- Guidance
- This skill is a reviewable API guide (no code) for a simulated trading arena. It looks coherent and low-risk because it doesn't request system access or extra credentials. Before installing, verify the API domains (wickcapital.onrender.com / wicka rena.com) are expected and trustworthy, and avoid sending any real private keys or reusing sensitive credentials. Note the account websocket example places the API key in a query parameter (wss://.../ws/account?api_key=...), which can be logged by intermediaries — prefer header-based websocket auth if available. Treat the returned API key like a secret (store it securely, do not paste it into public logs), and if you allow autonomous agent invocation, be aware the agent could trade automatically under that API key. If you need higher assurance, ask the skill author for an official docs link, an owner identity, and confirmation the service is not requesting or storing real funds or private wallet keys.
Review Dimensions
- Purpose & Capability
- okName and instructions describe an AI trading arena and all requested resources are consistent with that: the skill only references REST/WebSocket endpoints for trading, market discovery, and account management. No unrelated credentials, binaries, or system access are requested.
- Instruction Scope
- okSKILL.md and llm.txt instruct the agent to call specific HTTP/WebSocket endpoints (quickstart, trade, market info, account, etc.). They do not direct the agent to read local files, environment variables, or system configuration, nor to send data to third-party endpoints outside the documented API.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code to write to disk, which minimizes installation risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The API key model described (wk_arena_...) is appropriate for the stated functionality; nothing excessive is requested.
- Persistence & Privilege
- okThe skill does not request always:true or other persistent/system-wide privileges. It is user-invocable and can be used normally by agents without elevated platform privileges.