ClawHub
Back to skill
v1.0.0

Mia Polymarket Trader

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:21 AM.

Analysis

This skill is openly for automated Polymarket trading, but it asks for wallet/private-key authority and references an undeclared trading command without reviewed code or enforceable limits.

GuidanceReview carefully before installing. Only use this with a trusted, auditable trading executable, a dedicated low-balance wallet, least-privilege credentials, and manual confirmation or hard caps for every trade.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
AI agent that autonomously trades on Polymarket prediction markets... Automated trade execution... mia-polymarket trade --market-id "xxx" --position "yes" --amount 10

The artifact describes autonomous financial trading and provides an execution command, but does not require per-trade approval, define bounded market/amount controls, or explain how losses can be contained.

User impactThe agent could place trades that spend funds or create losses if the trading tool is available and credentials are supplied.
RecommendationUse only with explicit manual approval for each trade, hard order limits, and a dedicated low-balance wallet; verify the trading tool before granting it authority.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
metadata
Source: unknown ... No install spec — this is an instruction-only skill. ... No code files present

The reviewed artifacts provide no implementation, pinned package, or install source for the referenced trading command, which is material because the command would handle private keys and financial trades.

User impactUsers cannot verify from these artifacts what software would actually execute trades or how it would handle keys.
RecommendationRequire a pinned, auditable implementation and explicit binary/dependency declarations before installing or running any associated trading command.
Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
## Safety
- Max 5% portfolio per trade
- Stop-loss at 20%
- Daily reporting

The artifact asserts safety controls, but no code, install spec, or configuration is provided to show these controls are enforced.

User impactUsers may trust risk limits that are not actually guaranteed by the provided artifacts.
RecommendationTreat the listed safety limits as unverified until an auditable implementation enforces them, and set independent account-level or wallet-level limits.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
export POLYMARKET_API_KEY="your-key"
export POLYMARKET_PRIVATE_KEY="your-wallet-key"

The skill instructs users to expose both a platform API key and a wallet private key, while the registry declares no required credentials or environment variables and the artifact does not describe scope, storage, or handling.

User impactA wallet private key can grant broad control over funds, and an API key can authorize account actions.
RecommendationDo not provide a main wallet private key; use least-privilege credentials, a segregated wallet with limited funds, and only tools whose source and key handling you have reviewed.