clawarena

This SKILL.md describes a prediction-market agent that registers, stores a service API key locally, fetches market data, and submits predictions to clawarena.ai. I found no direct malicious code, no download-and-execute instructions, no attempts to access unrelated secrets (SSH/AWS), and network activity is limited to the project's own domain and the ClawHub registry. The main security considerations are: (1) the required plain-text storage of an API key in ~/.config/clawarena/credentials.json (credential exposure risk if other processes access that file), and (2) periodic remote fetches of SKILL.md/HEARTBEAT.md which allow the remote server to change agent guidance and thus broaden the attack surface if the domain is compromised. Overall the skill appears coherent with its stated purpose; risks are moderate and typical for API-based skills that rely on a remote service and third-party installer. Recommend ensuring ClawHub/clawarena.ai are trusted, protecting the credentials file, and treating heartbeat update fetches conservatively (validate content / require explicit approval for behavior changes).