← 返回 Skills 市场
jvsteiner

UniClaw Prediction Market

作者 jvsteiner · GitHub ↗ · v0.2.1
cross-platform ⚠ suspicious
2765
总下载
0
收藏
2
当前安装
23
版本数
在 OpenClaw 中安装
/install uniclaw
功能描述
Trade on UniClaw prediction markets. Browse markets, place orders, and manage positions with UCT tokens on the Unicity network.
安全使用建议
Before installing or running this skill, consider: (1) It will read your Unicity wallet (mnemonic/private key) and use that key to sign requests and send tokens — only run this if you fully trust the UniClaw server. (2) The code contains a hard-coded UNICITY_API_KEY default; ask the maintainer what that key is for, rotate or remove it if it is a real secret, and prefer supplying your own API key via environment variable. (3) If you want to reduce blast radius, use a separate test wallet with minimal funds (not your main wallet) or run the skill against a self-hosted UniClaw server (set UNICLAW_SERVER). (4) The code accesses an internal SDK field to extract privateKey — review that choice and prefer an SDK API that doesn't expose private keys if possible. If you need higher assurance, request the server's source code or run the client against a server you control; otherwise treat this skill as sensitive and proceed cautiously.
功能分析
Type: OpenClaw Skill Name: uniclaw Version: 0.2.1 The skill is classified as suspicious due to several vulnerabilities, though it lacks clear evidence of intentional malice. Key concerns include the ability to override the `UNICLAW_SERVER` environment variable (lib/config.ts), which could redirect cryptographically signed API requests to an attacker-controlled server. Additionally, the `scripts/withdraw.ts` functionality allows sending tokens to an arbitrary address, presenting a significant prompt injection risk against the AI agent. A hardcoded `UNICITY_API_KEY` (lib/wallet.ts) for an oracle is also present, which could be a minor vulnerability depending on its privileges. While these are vulnerabilities and potential attack surfaces, the skill's code and instructions (SKILL.md) are transparently aligned with its stated purpose of interacting with a prediction market, and do not contain explicit malicious commands or data exfiltration attempts.
能力评估
Purpose & Capability
The name/description (trading on UniClaw) match the code and scripts: the skill lists markets, places orders, deposits/withdraws, and signs requests using the Unicity wallet. Requiring node/npx and a TypeScript runner (tsx) is proportional to the packaged scripts.
Instruction Scope
The SKILL.md explicitly instructs the agent to read the shared Unicity wallet (~/ .openclaw/unicity/) and to use the Unicity plugin for top-ups; the scripts indeed load the wallet, extract a private key, and sign requests to the UniClaw server. That is within the stated trading scope, but it means the skill will access your wallet's mnemonic/private key and perform on-chain actions — a sensitive capability that is not hidden by the docs.
Install Mechanism
Install uses a single Node dev dependency (tsx) declared in package.json/package-lock.json and no external arbitrary downloads. This is a low-to-moderate risk install mechanism consistent with the code provided.
Credentials
The skill does not require environment credentials to run, which matches metadata, but the code embeds an apparent secret: a default UNICITY_API_KEY value ('sk_06365a9c44654841a366068bcfc68986') inside lib/wallet.ts. That hidden default API key is unexpected and not documented in SKILL.md; it may be a test key or a credential leak. Additionally, the skill directly accesses internal SDK state ((sphere as any)._identity) to extract the private key — while necessary for signing/trading, this is sensitive and bypasses any explicit SDK-provided safe accessor. Both points reduce proportionality of requested access and raise questions about trust and key handling.
Persistence & Privilege
The skill is not always-enabled and is user-invocable only. It does not modify other skills or global agent configuration in the provided code. It reads wallet files but does not persist new, broad privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install uniclaw
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /uniclaw 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.1
Release v0.2.1
v0.2.0
Deposit sends tokens directly via SDK
v0.1.22
Deposit sends tokens directly
v0.1.21
Deposit sends tokens directly instead of printing address
v0.1.20
Deposit sends tokens directly instead of printing address
v0.1.19
Update sphere-sdk to 0.4.7
v0.1.17
SDK 0.4.3 from npm registry
v0.1.16
Add order book and price data to market commands
v0.1.15
- Added _meta.json file for improved metadata handling. - Improved clarity in trading documentation by removing redundancy in market browsing instructions. - Internal updates to API and scripts for better maintainability. - Updated package dependencies.
v0.1.14
Add order book and price data to market list and detail commands
v0.1.13
Upgrade sphere-sdk to 0.2.5, use npm registry
v0.1.12
Upgrade sphere-sdk to 0.2.2 (vendored)
v0.1.11
Upgrade sphere-sdk to 0.2.0 (DIRECT transfer finalization fix)
v0.1.10
Deposit via plugin: skill outputs server address, agent uses uniclaw_send_tokens to send
v0.1.9
Remove faucet script — use plugin uniclaw_top_up instead; remove broken SDK race condition workaround
v0.1.8
Workaround SDK race condition: wait for nametag recovery then re-sync to finalize PROXY transfers
v0.1.7
Auto-mint nametag token on wallet load to enable PROXY transfer receives
v0.1.6
Fix coinId: use UCT coin hash instead of ALPHA, convert amounts to smallest units
v0.1.5
Fix PROXY transfers: add oracle and transport config to wallet initialization
v0.1.4
Fix faucet to use HTTP API with nametag, fix Identity property names
元数据
Slug uniclaw
版本 0.2.1
许可证
累计安装 2
当前安装数 2
历史版本数 23
常见问题

UniClaw Prediction Market 是什么?

Trade on UniClaw prediction markets. Browse markets, place orders, and manage positions with UCT tokens on the Unicity network. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2765 次。

如何安装 UniClaw Prediction Market?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install uniclaw」即可一键安装,无需额外配置。

UniClaw Prediction Market 是免费的吗?

是的,UniClaw Prediction Market 完全免费(开源免费),可自由下载、安装和使用。

UniClaw Prediction Market 支持哪些平台?

UniClaw Prediction Market 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 UniClaw Prediction Market?

由 jvsteiner(@jvsteiner)开发并维护,当前版本 v0.2.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论