Opinion Skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Opinion trading tool, but it requires wallet/API credentials and can place or cancel real financial trades, so it needs careful review before use.
Only install this if you intentionally want an agent-assisted trading tool. Use a dedicated wallet with limited funds, review the SDK and remote setup path, avoid cloning unpinned code when possible, and require explicit confirmation before any approval, buy, sell, or cancel-all command.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a funded wallet, the skill can act through that wallet for Opinion trading operations.
The skill reads a wallet private key, API key, and multi-sig wallet address to create a BSC mainnet trading client. This is central to the skill, but it grants high-impact account authority and is not declared in the registry metadata.
const PRIVATE_KEY = process.env.PRIVATE_KEY; ... return new Client({ ... apiKey: API_KEY, ... privateKey: PRIVATE_KEY as `0x${string}`, multiSigAddress: MULTI_SIG_ADDRESS as `0x${string}` });Use only a dedicated low-balance wallet/API key, verify the exact contracts and SDK behavior, and require the skill metadata to declare these credentials clearly.
A mistaken or over-broad agent invocation could submit real buy/sell orders or trigger market orders with financial consequences.
The trading script prints order details and then directly submits an order. The artifacts do not show a separate confirmation prompt, maximum amount guard, or dry-run mode before placing real trades.
console.log(`\nPlacing ${isMarket ? "MARKET" : "LIMIT"} BUY order...`); ... const resp = await client.placeOrder({ marketId, tokenId, side, orderType: oType, price: isMarket ? "0" : price, makerAmountInQuoteToken: amount }, true);Require explicit user confirmation for every trade, show market/token/side/price/amount before execution, and add spending limits or dry-run support.
A mis-invoked command could cancel active orders across the account.
The cancel-all path can cancel all open orders, optionally only for one market, without an additional confirmation safeguard in the script.
const resp = await client.cancelAllOrders(marketId ? { marketId } : undefined);Require confirmation before bulk cancellation and default to market-scoped or single-order cancellation where possible.
If the remote repository, installer, or dependency chain changes or is compromised, the agent could run unreviewed code with access to trading credentials.
The setup instructions can pull latest remote code and execute a remote installer rather than using a pinned, verified artifact. This is more concerning because the resulting code may later handle wallet private keys.
git clone https://github.com/Yuandiaodiaodiao/opinion-skill.git /root/opinionskills ... curl -fsSL https://bun.sh/install | bash
Use the packaged reviewed files when possible, pin repository commits and dependency versions, avoid curl-to-shell installs, and review code before adding private keys.
Your Opinion API key may be used during market search/cache refreshes, not only during trading commands.
The market cache path optionally sends API_KEY to an Opinion OpenAPI endpoint. This appears provider-aligned, but users may not expect search/cache operations to use the API key because SKILL.md says data queries do not need environment variables.
const apiKey = process.env.API_KEY; if (apiKey) headers["apikey"] = apiKey; const resp = await fetch(url.toString(), { headers, signal: AbortSignal.timeout(30000) });Document this optional API-key use clearly and avoid setting API_KEY when only public market queries are needed.