UnifAI Trading Suite
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a coherent trading-analysis tool, but its artifacts also describe dynamic trading/order capabilities while user-facing skill files claim the tools are read-only.
Review before installing or granting credentials. Treat it as an analysis tool only unless you have verified the underlying TradingAgent and UnifAI tool permissions, and do not grant wallet/order-placement privileges without explicit confirmation controls and trade limits.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the configured UnifAI/account credentials can place trades, an agent may have access to financial actions beyond simple market analysis.
The project documentation says the UnifAI integration can expose order-placement tools, but the supplied skill instructions do not show explicit user approval, trade-size limits, or a read-only tool allowlist.
Polymarket tools are available through UnifAI SDK with full trading capabilities ... limitOrderBuy/Sell ... marketOrderBuy/Sell
Use read-only or least-privilege credentials, remove or block order-placement tools by default, and require explicit user confirmation with clear amounts before any trade.
A user may trust the skill as analysis-only even though the broader package describes capabilities that could affect real trading accounts.
This read-only assurance conflicts with other included documentation describing trade execution and full Polymarket trading capabilities, which could cause users to underestimate the risk of granting credentials.
This tool is read-only; trading requires platform authentication
Update the skill documentation to accurately separate read-only commands from any trading-capable code, and disclose when credentials can enable order placement.
Users may provide the wrong key or a broader-privilege key than needed for read-only analysis.
Provider API keys are expected for UnifAI/Gemini use, but the registry metadata declares no required env vars and scripts check UNIFAI_AGENT_API_KEY instead, creating an unclear credential contract.
requires":{"env":["UNIFAI_API_KEY","GOOGLE_API_KEY"]},"primaryEnv":"UNIFAI_API_KEY"Declare the exact required environment variables in registry metadata and documentation, and specify the minimum permissions each key needs.
Market questions, token topics, or other user-provided text may be sent to external services during analysis.
The skill is designed to send queries through UnifAI and LLM/tool-provider flows; this is purpose-aligned, but the provided user-facing docs do not detail data boundaries or provider handling.
UnifAI Integration: Dynamic tool discovery and agent-to-agent communication
Avoid entering sensitive personal or account information, and review UnifAI/Google data-handling terms before use.