← Back to Skills Marketplace
623
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install uniclaw-skill
Description
Trade on UniClaw prediction markets. Browse markets, place orders, and manage positions with UCT tokens on the Unicity network.
Usage Guidance
This skill will read your Unicity wallet files (mnemonic.txt) and extract the raw private key (via an internal _identity field) to sign requests to an external UniClaw server (default https://api.uniclaw.app). It also includes a hard-coded UNICITY_API_KEY in the code. Before installing: 1) Do NOT point this at a wallet that holds real funds; test with a throwaway/testnet wallet only. 2) Inspect or remove the hard-coded UNICITY_API_KEY or set UNICITY_API_KEY explicitly in your environment if you understand its use. 3) If you don't trust api.uniclaw.app, set UNICLAW_SERVER to a server you control (or audit the remote server endpoints) — the server will accept signed requests generated from your key. 4) Consider running the skill in an isolated environment (container or VM) and reviewing the Sphere SDK usage — accessing (sphere as any)._identity to read privateKey is fragile and risky. If you are uncomfortable exposing your private key or cannot audit the remote server, do not install or use this skill.
Capability Analysis
Type: OpenClaw Skill
Name: uniclaw-skill
Version: 0.1.19
The skill is classified as 'suspicious' primarily due to a hardcoded API key (`sk_06365a9c44654841a366068bcfc68986`) found in `lib/wallet.ts`. While this key is used for an 'oracle' within the `@unicitylabs/sphere-sdk` and not directly for user funds or exfiltration, hardcoding any API key is a significant security vulnerability as it exposes a credential that might be intended to be secret or unique per deployment. Additionally, the skill accesses the private key from the `sphere` object's internal `_identity` field in `lib/wallet.ts` for signing requests, which is a sensitive operation, though necessary for the skill's stated purpose and relies on the OpenClaw platform's secure handling of the mnemonic. No evidence of prompt injection, data exfiltration to unauthorized endpoints, or persistence mechanisms was found.
Capability Assessment
Purpose & Capability
Name/description match the code: scripts list markets, place orders, deposit/withdraw and use a Unicity wallet. However the implementation extracts the wallet mnemonic/private key from the Unicity data directory and accesses a hard-coded UNICITY_API_KEY by default — the key is unrelated to the simple act of placing signed market orders and is unexpected.
Instruction Scope
SKILL.md says the skill will use the shared Unicity wallet for identity/signing (true), but the runtime code explicitly reads ~/.openclaw/unicity/mnemonic.txt and accesses the Sphere SDK internal _identity.privateKey to obtain the raw private key. The documentation does not clearly warn that the skill will extract and use the raw private key and send signed requests to an external server (default https://api.uniclaw.app).
Install Mechanism
Install is a standard node dev dependency (tsx) via the package.json/package-lock; no arbitrary URL downloads or installers. Requiring npx/node is proportional to running the included TypeScript scripts.
Credentials
The skill declares no required env vars but will read wallet files by default. Critically, lib/wallet.ts supplies a default oracle API key (UNICITY_API_KEY) embedded in the source: 'sk_06365a9c44654841a366068bcfc68986'. An embedded secret in the code is unexpected and unexplained for the stated purpose and increases risk. The skill also contacts an external server (config.serverUrl defaulting to api.uniclaw.app) which the user must trust because signed requests (derived from their private key) will be sent there.
Persistence & Privilege
No always:true flag, no system-wide config modifications, and no declared persistent privileges. The skill runs on demand and does not request elevated platform privileges beyond filesystem reads of the Unicity wallet directory.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install uniclaw-skill - After installation, invoke the skill by name or use
/uniclaw-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.19
Update sphere-sdk to 0.4.7
v0.1.18
Update sphere-sdk to 0.4.7
Metadata
Frequently Asked Questions
What is Uniclaw Skill?
Trade on UniClaw prediction markets. Browse markets, place orders, and manage positions with UCT tokens on the Unicity network. It is an AI Agent Skill for Claude Code / OpenClaw, with 623 downloads so far.
How do I install Uniclaw Skill?
Run "/install uniclaw-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Uniclaw Skill free?
Yes, Uniclaw Skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Uniclaw Skill support?
Uniclaw Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Uniclaw Skill?
It is built and maintained by jvsteiner (@jvsteiner); the current version is v0.1.19.
More Skills