← Back to Skills Marketplace
ternencescott

Probable Skill

by ternencescott · GitHub ↗ · v0.1.1
cross-platform ⚠ suspicious
383
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install probable-skill
Description
0xProbable prediction market trading skills on BSC mainnet. Trade outcome shares (YES/NO) on real-world events via CLOB order book using @prob/clob SDK. Supp...
Usage Guidance
This package contains working trading scripts for 0xProbable on BSC and will perform on-chain actions (create/cancel orders, withdraw from a proxy/Gnosis Safe) if you provide a PRIVATE_KEY. Before installing or running: 1) Do not run curl | bash installers without reviewing the script; install bun from a trusted source or manually. 2) Treat PRIVATE_KEY as highly sensitive — prefer using a key with minimal funds or a dedicated account for testing; verify the repository and code first. 3) Verify the hard-coded PROXY_WALLET and EOA_ADDRESS in scripts/config.ts — if these are not your addresses, withdraw/tx scripts could fail or act on other accounts. 4) Inspect withdraw.ts carefully: it constructs and signs Safe transactions — test with a small amount or on a fork/testnet first. 5) Ask the publisher to correct registry metadata to declare PRIVATE_KEY as a required credential and to document any required addresses or deployment steps. If you cannot review the code yourself, avoid supplying your main wallet private key.
Capability Analysis
Type: OpenClaw Skill Name: probable-skill Version: 0.1.1 The skill is classified as suspicious due to a critical vulnerability in `scripts/withdraw.ts` and the use of a risky `curl | bash` command in `SKILL.md`. The `withdraw.ts` script attempts to transfer funds from a hardcoded proxy wallet (`0xE1e2380cDe7d1822ACbD097E85f72040AB106f42`) to a hardcoded burn address (`0xDDDddDcF23631d075C48e4669a5c0C227d5DdddD`) as defined in `scripts/config.ts`. If a user's provided `PRIVATE_KEY` happens to be an owner of this specific hardcoded proxy wallet, executing `withdraw.ts` would lead to irreversible loss of funds, which is a severe bug, though not clear evidence of intentional exfiltration to an attacker. Additionally, `SKILL.md` instructs users to install `bun` via `curl -fsSL https://bun.sh/install | bash`, which is a supply chain risk and a common RCE vulnerability if the remote script source is compromised.
Capability Assessment
Purpose & Capability
The skill's name/description (0xProbable CLOB trading on BSC) aligns with the included TypeScript scripts and the @prob/clob SDK usage — the scripts implement searching, orderbook queries, limit/market orders, PnL and Gnosis Safe withdrawals as advertised. However, the registry metadata declares no required environment variables or primary credential while the code and SKILL.md clearly require a PRIVATE_KEY; that metadata omission is an inconsistency.
Instruction Scope
SKILL.md and scripts instruct the agent/user to create a .env with PRIVATE_KEY and to run the TypeScript scripts that will load that key (dotenv/config). All runtime behavior (on-chain calls, order posting, safe withdrawal) stays within trading/account management, which is expected, but the instructions also tell users to run a remote install command (curl -fsSL https://bun.sh/install | bash) and to clone a GitHub repo via git@ (SSH) if scripts are missing. Those installer/clone steps broaden the scope of what the agent will do and include executing remote code.
Install Mechanism
There is no formal install spec in registry metadata, but SKILL.md explicitly suggests installing bun via a remote installer piped to bash (curl | bash). Executing a remote install script is higher risk because it fetches and runs code from the internet. The project otherwise depends on well-known packages (@prob/clob, ethers, viem), which is reasonable for the described purpose.
Credentials
The scripts require a PRIVATE_KEY (documented in SKILL.md and used in scripts/config.ts), which is appropriate for signing blockchain transactions — but the registry metadata does not declare this required env var or a primary credential, creating a dangerous mismatch. Additionally, config.ts hardcodes PROXY_WALLET and EOA_ADDRESS constants; hard-coded addresses may not match a user's deployment and could cause unintended behavior (e.g., attempting withdrawals from an address the user does not control). The skill does not request unrelated credentials, but the missing metadata declaration and hard-coded wallet addresses are problematic.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and contains no explicit persistence beyond normal use of local files (.env, repo files). Autonomous invocation is allowed by default but is not combined with other privilege-escalating flags here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install probable-skill
  3. After installation, invoke the skill by name or use /probable-skill
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
- Updated skill description to clarify trading of outcome shares (YES/NO) on real-world events and add more detail on feature coverage. - Added more explicit references to prediction markets and outcome trading in the intro. - No changes to functionality, code, or examples; documentation only.
v0.2.0
probable-skill v0.2.0 - Added detailed setup, usage instructions, and command reference in SKILL.md - Official documentation now covers market search, orderbook viewing, price queries, limit/market order placement, position management, and Gnosis Safe withdrawals on BSC mainnet - Includes environment preparation, SDK requirements, command quick reference, and troubleshooting guide - Target chain set to BSC mainnet (chainId 56), using @prob/clob SDK v0.5.0 - Security tips and fee structure now clarified for all users
Metadata
Slug probable-skill
Version 0.1.1
License
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Probable Skill?

0xProbable prediction market trading skills on BSC mainnet. Trade outcome shares (YES/NO) on real-world events via CLOB order book using @prob/clob SDK. Supp... It is an AI Agent Skill for Claude Code / OpenClaw, with 383 downloads so far.

How do I install Probable Skill?

Run "/install probable-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Probable Skill free?

Yes, Probable Skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Probable Skill support?

Probable Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Probable Skill?

It is built and maintained by ternencescott (@ternencescott); the current version is v0.1.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments