ClawHub

Polymarket Agent

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading skill, but it asks for a raw wallet private key and can enable real-money trades without per-trade confirmation.

Review this carefully before installing. Use only a dedicated wallet with limited funds, keep autonomous mode disabled, manually confirm every trade, avoid storing more trading history than necessary, and prefer pinned dependency versions before setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for name, cmd in checks:
        try:
            subprocess.run(cmd, shell=True, check=True, capture_output=True)
            console.print(f"  [green]✔[/green] {name}")
        except:
            console.print(f"  [red]✘[/red] {name} - NOT FOUND")
Confidence
97% confidence
Finding
subprocess.run(cmd, shell=True, check=True, capture_output=True)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The setup wizard can install Python packages at runtime, which expands the skill's capabilities beyond simple configuration and introduces supply-chain risk. In the context of an autonomous trading agent that already handles wallet credentials, automatic dependency installation increases the blast radius if requirements are tampered with or dependencies are malicious.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The script tells users the private key never leaves their machine, but then passes that secret as a command-line argument to an external CLI process. Command-line arguments can be exposed through process listings, shell history tooling, logs, crash reports, or monitoring agents, so the claim of secure local handling is misleading and the wallet key may be disclosed.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill description emphasizes analysis and research, but this file contains code that can directly place live orders on Polymarket. That mismatch increases the risk of unsafe operator assumptions: a user or upstream agent may invoke what appears to be an analytical skill and unexpectedly execute financial transactions with real funds.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README advertises very broad natural-language triggers such as "What should I bet on?" and "Check my balance," which can easily overlap with ordinary conversation in a host chat environment. In a skill that can research markets, access wallet state, and ultimately facilitate trading, ambiguous invocation increases the chance of accidental activation, unintended financial guidance, or disclosure of sensitive account information.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include common language such as requests about balance, news, or betting advice, which can activate sensitive trading workflows too broadly. Broad activation increases the chance of unintended invocation from casual conversation or unrelated prompts, especially in an agentic environment with shell/tool access.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation guidance instructs the agent to take multi-step actions based on loosely phrased requests like 'Analyze Polymarket' or 'What Should I Bet On?' without defining strict boundaries for when tools may be used. That ambiguity can lead to overbroad autonomous behavior, including authenticated queries and preparation for trades without sufficiently explicit user consent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly allows trade execution 'when the user approves (or autonomously if configured)' without a prominent, upfront warning about real financial consequences. Enabling autonomous trading in a conversational skill materially raises the risk of unauthorized or poorly understood loss-making actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to remember past trades, user interests, and risk profile, but does not disclose retention, usage, or sensitivity of this financial-behavior data. Undisclosed storage of trading history and preferences can create privacy and profiling risks beyond the user's expectations.

Missing User Warnings

High
Confidence
95% confidence
Finding
The command enables a mode described as allowing trades without confirmation, yet turning it on requires no secondary confirmation, authentication step, or risk acknowledgment. In a trading agent context this is more dangerous than in a normal utility because it can materially affect financial actions and could lead to accidental or unauthorized autonomous trading behavior if other components honor the flag.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code submits a live network order immediately via create_and_post_order without any pre-trade confirmation, preview, policy gate, or spending limit checks. In an autonomous agent context, this makes accidental or manipulated invocation materially dangerous because it can trigger irreversible market actions and financial loss.

Unpinned Dependencies

Low
Category
Supply Chain
Content
py-clob-client
requests
rich
questionary
Confidence
94% confidence
Finding
py-clob-client

Unpinned Dependencies

Low
Category
Supply Chain
Content
py-clob-client
requests
rich
questionary
web3
Confidence
99% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
py-clob-client
requests
rich
questionary
web3
typer[all]
Confidence
92% confidence
Finding
rich

Unpinned Dependencies

Low
Category
Supply Chain
Content
py-clob-client
requests
rich
questionary
web3
typer[all]
Confidence
91% confidence
Finding
questionary

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
rich
questionary
web3
typer[all]
Confidence
97% confidence
Finding
web3

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

Known Vulnerable Dependency: web3 — 1 advisory(ies): CVE-2026-40072 (web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling)

Low
Category
Supply Chain
Confidence
90% confidence
Finding
web3

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal