Back to skill

Security audit

Polymarket Agent

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading assistant, but it can store a wallet private key and enable real-money trading without per-trade confirmation.

Review before installing. Use only a dedicated wallet with limited funds, keep autonomous mode disabled unless you deliberately accept automated trading risk, confirm every trade manually, avoid revealing POLYMARKET_KEY through the config command, and prefer pinned dependency versions or a lockfile before setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Rogue AgentSelf-Modification, Session Persistence
Findings (28)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Set config
        cmd = ["clawdbot", "config", "set", f"skills.entries.polymarket-agent.env.{key}", value]
        try:
            subprocess.run(cmd, check=True)
            console.print(f"[green]✔ Set {key} = {value}[/green]")
        except Exception as e:
            console.print(f"[red]✘ Failed: {e}[/red]")
Confidence
78% confidence
Finding
subprocess.run(cmd, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for name, cmd in checks:
        try:
            subprocess.run(cmd, shell=True, check=True, capture_output=True)
            console.print(f"  [green]✔[/green] {name}")
        except:
            console.print(f"  [red]✘[/red] {name} - NOT FOUND")
Confidence
97% confidence
Finding
subprocess.run(cmd, shell=True, check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Get config
        cmd = ["clawdbot", "config", "get", f"skills.entries.polymarket-agent.env.{key}"]
        try:
            result = subprocess.run(cmd, capture_output=True, text=True)
            console.print(f"[cyan]{key}[/cyan] = {result.stdout.strip()}")
        except Exception as e:
            console.print(f"[red]✘ Failed: {e}[/red]")
Confidence
74% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill advertises and instructs use of shell commands, network access, and environment-backed secrets (`POLYMARKET_KEY`) without declaring explicit permissions. This creates a capability transparency gap: a user or host system may authorize the skill expecting passive analysis, while it can actually execute commands, access secrets, and interact with external services including trading infrastructure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The documented behavior substantially exceeds the stated purpose: beyond analysis, the skill can install software, configure a wallet, access balances, persist trading configuration, and place live buy/sell orders, including mention of autonomous mode. That mismatch is dangerous because users may consent to research tooling but unknowingly expose funds and credentials to an agent capable of executing irreversible financial actions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This CLI can read and write host configuration through external `clawdbot config` commands, which expands its authority beyond simple market analysis/trading and gives it control over broader agent settings. In skill context, that is more dangerous because a trading skill should not need unrestricted host config management, and abuse could reconfigure execution, credentials, or autonomy behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The health-check feature probes the local environment by executing multiple host commands, which is unnecessary privilege for a prediction-market skill and broadens the system-inspection surface. In an agent ecosystem, this kind of host introspection can be chained with other behaviors to fingerprint the environment and assist follow-on abuse.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script tells the user the private key is stored securely and never leaves the machine, but then passes the raw wallet key as a command-line argument to an external process. Command-line arguments can be exposed through process listings, shell history wrappers, logging, crash reports, or monitoring tools, which can leak the key and allow full wallet compromise.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The README includes broad natural-language prompts such as 'What should I bet on?' and 'Analyze Polymarket opportunities' that could cause the agent to activate in contexts where the user did not intend a market-trading workflow. In a skill that can inspect balances and facilitate trades, ambiguous invocation language increases the chance of unintended financial actions or risky recommendations being surfaced without clear scoping.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README advertises wallet setup, balance checks, and buy/sell commands without prominent warnings about financial loss, irreversible transactions, private key handling, or the need for explicit user approval before executing trades. In the context of a prediction-market agent tied to a funded wallet, omission of these safeguards makes misuse and unsafe operation more likely, especially for less experienced users.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase 'Analyze Polymarket or similar' is overly broad and can activate the skill on loosely related user requests. In a skill with shell, network, memory, and trading-oriented behaviors, ambiguous activation increases the chance of unintended market scans, balance checks, setup prompts, or progression toward sensitive actions without clear user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The instruction to run `poly setup` when a user asks to 'setup' or 'configure' is ambiguous and overlaps with many benign assistant interactions. Because setup likely provisions authenticated trading access and wallet configuration, a generic phrase could steer the agent into credential-binding or account-changing actions that the user did not specifically intend for this skill.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The `doctor` command performs subprocess-based local environment inspection without clearly warning the user that host commands will be executed. While the commands are simple, silent host-command execution reduces transparency and can normalize risky behavior in a trading tool.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `auto` command enables autonomous trading mode immediately, without any confirmation, secondary prompt, or safeguard despite explicitly stating that trades may execute without confirmation. In this skill context, that is especially dangerous because it can directly lead to unauthorized or unintended financial transactions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script can place a live market order directly from command-line arguments without any confirmation prompt, dry-run mode, or prominent warning that real funds will be used. In an autonomous trading skill, this increases the chance of accidental execution, malformed input leading to unintended trades, or unsafe invocation by other components without explicit human approval.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
"""
    🤖 **Toggle autonomous trading mode**.
    
    When enabled, the agent can execute trades without confirmation.
    ⚠️ USE WITH CAUTION.
    """
    status = "ENABLED" if enable else "DISABLED"
Confidence
97% confidence
Finding
without confirmation

Unvalidated Output Injection

High
Category
Output Handling
Content
# Get config
        cmd = ["clawdbot", "config", "get", f"skills.entries.polymarket-agent.env.{key}"]
        try:
            result = subprocess.run(cmd, capture_output=True, text=True)
            console.print(f"[cyan]{key}[/cyan] = {result.stdout.strip()}")
        except Exception as e:
            console.print(f"[red]✘ Failed: {e}[/red]")
Confidence
88% confidence
Finding
subprocess.run(cmd, capture_output

Session Persistence

Medium
Category
Rogue Agent
Content
| "What's my balance?" | Run `poly balance` |
| "Any crypto opportunities?" | `poly markets "crypto"` + research + recommend |
| "News on [topic]" | Web search + find related markets + analyze |
| "Set alert for [market]" | Create cron job to monitor |
| "What happened to [market]?" | Check resolution, explain outcome |
| "How much should I bet?" | Calculate Kelly Criterion based on edge and bankroll |
Confidence
88% confidence
Finding
Create cron job to

Unpinned Dependencies

Low
Category
Supply Chain
Content
py-clob-client
requests
rich
questionary
Confidence
94% confidence
Finding
py-clob-client

Unpinned Dependencies

Low
Category
Supply Chain
Content
py-clob-client
requests
rich
questionary
web3
Confidence
98% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
py-clob-client
requests
rich
questionary
web3
typer[all]
Confidence
92% confidence
Finding
rich

Unpinned Dependencies

Low
Category
Supply Chain
Content
py-clob-client
requests
rich
questionary
web3
typer[all]
Confidence
92% confidence
Finding
questionary

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
rich
questionary
web3
typer[all]
Confidence
97% confidence
Finding
web3

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

Known Vulnerable Dependency: web3 — 1 advisory(ies): CVE-2026-40072 (web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling)

Low
Category
Supply Chain
Confidence
84% confidence
Finding
web3

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.