ClawHub

PolyGuard Martin Pro

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises, but it can automatically place real Polymarket trades with a live API key and no built-in order or spending limits.

Review before installing. Use only a minimal-permission Polymarket key if available, start with the smallest possible size or a paper/sandbox setup, and do not run it unattended unless you add safeguards such as explicit live-trading opt-in, max spend, max order count, cooldown, and automatic stop after a successful order.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill continuously monitors prices and places live orders automatically once a threshold is met, with no interactive confirmation, dry-run mode, or explicit irreversible-action safeguard. In an agent-skill context, this increases the chance of unintended financial loss from misconfiguration, bad inputs, or autonomous triggering without the user's immediate awareness.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest description, "Free, open-source Polymarket auto-trading skill. No data collection.", is marketing-style and does not clearly constrain the circumstances under which the skill should be invoked. For an auto-trading capability that can place market actions using an API key, vague invocation language increases the risk of accidental or overly broad activation, which can lead to unintended trades and financial loss.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal