← Back to Skills Marketplace
jvsteiner

UniClaw Prediction Market

by jvsteiner · GitHub ↗ · v0.2.1
cross-platform ⚠ suspicious
2765
Downloads
0
Stars
2
Active Installs
23
Versions
Install in OpenClaw
/install uniclaw
Description
Trade on UniClaw prediction markets. Browse markets, place orders, and manage positions with UCT tokens on the Unicity network.
Usage Guidance
Before installing or running this skill, consider: (1) It will read your Unicity wallet (mnemonic/private key) and use that key to sign requests and send tokens — only run this if you fully trust the UniClaw server. (2) The code contains a hard-coded UNICITY_API_KEY default; ask the maintainer what that key is for, rotate or remove it if it is a real secret, and prefer supplying your own API key via environment variable. (3) If you want to reduce blast radius, use a separate test wallet with minimal funds (not your main wallet) or run the skill against a self-hosted UniClaw server (set UNICLAW_SERVER). (4) The code accesses an internal SDK field to extract privateKey — review that choice and prefer an SDK API that doesn't expose private keys if possible. If you need higher assurance, request the server's source code or run the client against a server you control; otherwise treat this skill as sensitive and proceed cautiously.
Capability Analysis
Type: OpenClaw Skill Name: uniclaw Version: 0.2.1 The skill is classified as suspicious due to several vulnerabilities, though it lacks clear evidence of intentional malice. Key concerns include the ability to override the `UNICLAW_SERVER` environment variable (lib/config.ts), which could redirect cryptographically signed API requests to an attacker-controlled server. Additionally, the `scripts/withdraw.ts` functionality allows sending tokens to an arbitrary address, presenting a significant prompt injection risk against the AI agent. A hardcoded `UNICITY_API_KEY` (lib/wallet.ts) for an oracle is also present, which could be a minor vulnerability depending on its privileges. While these are vulnerabilities and potential attack surfaces, the skill's code and instructions (SKILL.md) are transparently aligned with its stated purpose of interacting with a prediction market, and do not contain explicit malicious commands or data exfiltration attempts.
Capability Assessment
Purpose & Capability
The name/description (trading on UniClaw) match the code and scripts: the skill lists markets, places orders, deposits/withdraws, and signs requests using the Unicity wallet. Requiring node/npx and a TypeScript runner (tsx) is proportional to the packaged scripts.
Instruction Scope
The SKILL.md explicitly instructs the agent to read the shared Unicity wallet (~/ .openclaw/unicity/) and to use the Unicity plugin for top-ups; the scripts indeed load the wallet, extract a private key, and sign requests to the UniClaw server. That is within the stated trading scope, but it means the skill will access your wallet's mnemonic/private key and perform on-chain actions — a sensitive capability that is not hidden by the docs.
Install Mechanism
Install uses a single Node dev dependency (tsx) declared in package.json/package-lock.json and no external arbitrary downloads. This is a low-to-moderate risk install mechanism consistent with the code provided.
Credentials
The skill does not require environment credentials to run, which matches metadata, but the code embeds an apparent secret: a default UNICITY_API_KEY value ('sk_06365a9c44654841a366068bcfc68986') inside lib/wallet.ts. That hidden default API key is unexpected and not documented in SKILL.md; it may be a test key or a credential leak. Additionally, the skill directly accesses internal SDK state ((sphere as any)._identity) to extract the private key — while necessary for signing/trading, this is sensitive and bypasses any explicit SDK-provided safe accessor. Both points reduce proportionality of requested access and raise questions about trust and key handling.
Persistence & Privilege
The skill is not always-enabled and is user-invocable only. It does not modify other skills or global agent configuration in the provided code. It reads wallet files but does not persist new, broad privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install uniclaw
  3. After installation, invoke the skill by name or use /uniclaw
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.1
Release v0.2.1
v0.2.0
Deposit sends tokens directly via SDK
v0.1.22
Deposit sends tokens directly
v0.1.21
Deposit sends tokens directly instead of printing address
v0.1.20
Deposit sends tokens directly instead of printing address
v0.1.19
Update sphere-sdk to 0.4.7
v0.1.17
SDK 0.4.3 from npm registry
v0.1.16
Add order book and price data to market commands
v0.1.15
- Added _meta.json file for improved metadata handling. - Improved clarity in trading documentation by removing redundancy in market browsing instructions. - Internal updates to API and scripts for better maintainability. - Updated package dependencies.
v0.1.14
Add order book and price data to market list and detail commands
v0.1.13
Upgrade sphere-sdk to 0.2.5, use npm registry
v0.1.12
Upgrade sphere-sdk to 0.2.2 (vendored)
v0.1.11
Upgrade sphere-sdk to 0.2.0 (DIRECT transfer finalization fix)
v0.1.10
Deposit via plugin: skill outputs server address, agent uses uniclaw_send_tokens to send
v0.1.9
Remove faucet script — use plugin uniclaw_top_up instead; remove broken SDK race condition workaround
v0.1.8
Workaround SDK race condition: wait for nametag recovery then re-sync to finalize PROXY transfers
v0.1.7
Auto-mint nametag token on wallet load to enable PROXY transfer receives
v0.1.6
Fix coinId: use UCT coin hash instead of ALPHA, convert amounts to smallest units
v0.1.5
Fix PROXY transfers: add oracle and transport config to wallet initialization
v0.1.4
Fix faucet to use HTTP API with nametag, fix Identity property names
Metadata
Slug uniclaw
Version 0.2.1
License
All-time Installs 2
Active Installs 2
Total Versions 23
Frequently Asked Questions

What is UniClaw Prediction Market?

Trade on UniClaw prediction markets. Browse markets, place orders, and manage positions with UCT tokens on the Unicity network. It is an AI Agent Skill for Claude Code / OpenClaw, with 2765 downloads so far.

How do I install UniClaw Prediction Market?

Run "/install uniclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is UniClaw Prediction Market free?

Yes, UniClaw Prediction Market is completely free (open-source). You can download, install and use it at no cost.

Which platforms does UniClaw Prediction Market support?

UniClaw Prediction Market is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created UniClaw Prediction Market?

It is built and maintained by jvsteiner (@jvsteiner); the current version is v0.2.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments