ClawHub

Polymarket BTC Trader

Security checks across malware telemetry and agentic risk

Overview

This skill can run automated real-money trading, but its artifacts mix paper-trading claims with live trading code and expose weakly controlled web actions.

Install only after reviewing and modifying it as live-money trading software. Require a clear paper-vs-live mode, default dry-run behavior, authenticated localhost-only dashboard access, removal or isolation of the Simmer trading panel, explicit confirmations and limits for live orders, and rotation of any credentials that may have been placed into browser code or local .env files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The README presents the bot as a paper-trading simulator, but elsewhere requires real Polymarket API credentials and references real on-chain trading behavior. This mismatch can mislead users into supplying live credentials or exposing funded accounts under a false sense of safety, which is especially dangerous in a trading bot context.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The 'paper trading mode' claim is contradicted by later instructions saying real Polymarket credentials are mandatory even in this mode. Contradictory safety messaging can cause users to underestimate operational and financial risk when configuring the bot.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The UI exposes a second trading platform mode ('Simmer') that is outside the declared Polymarket BTC bot scope, indicating hidden or undeclared functionality. In a trading skill with real-money capability, scope expansion increases the chance that users or other components invoke unexpected workflows, markets, or execution paths that were not reviewed or consented to.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The dedicated Simmer panel includes opportunities, positions, balances, and trade history for a separate trading system, which materially exceeds the advertised functionality of a BTC-only Polymarket bot. Because this skill also references real-wallet and real-USDC usage, undisclosed multi-platform trading features materially enlarge the attack surface and can lead to unauthorized or misunderstood trades.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The quick-order form allows manual entry of an arbitrary market ID, side, amount, and source, enabling trading on markets beyond the stated BTC-only automation scope. In a system that may execute real USDC trades, this is dangerous because it creates a generic trade primitive that can be abused for unintended market access, operator mistakes, or unauthorized order placement.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The UI text repeatedly states that the real-account view is read-only and will not place real orders, but the same frontend file adds Simmer trading functionality that can submit live trade requests to an external platform. This creates a dangerous trust mismatch: users may believe they are only viewing status while the page can actually execute external trades, increasing the risk of accidental unauthorized trading.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
A Polymarket BTC status/dashboard page unexpectedly includes browsing and trading logic for an unrelated third-party platform, Simmer. Expanding scope in this way increases attack surface, confuses users about what system they are interacting with, and makes it easier to hide risky behavior inside a page that appears to be only for monitoring a different trading bot.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The frontend embeds a Bearer credential and uses it directly from browser JavaScript to access third-party account and trading APIs. Any user visiting the page can extract the token from source or network traffic and reuse it to query accounts or place trades against the external service, resulting in credential compromise and possible financial loss.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code describes the AI as a 'paper-trading analyzer' but directly uses its output to drive real on-chain trading decisions. This is dangerous because it lowers operator caution and can cause users to trust an AI component for live financial execution under a misleading safety framing.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The comment says Simmer Bridge external signals can override AI, but the implementation loads a local OpenClaw decision file and then checks mismatched fields. This discrepancy can cause operators to misunderstand what data source actually controls trades and may result in unexpected or unauthorized strategy overrides.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This status server is not read-only: it exposes unauthenticated endpoints that can toggle trading and modify local notification/state files. Because the server binds on all interfaces and sets permissive CORS headers, any reachable user or website could potentially send requests that alter bot behavior, making this much more dangerous in the context of an automated live trading system.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The `/api/merge-history` endpoint performs a privileged file merge and overwrites local trading state using hard-coded filesystem paths, even though this functionality is unrelated to normal monitoring. Exposing maintenance or repair logic as a GET-accessible web endpoint increases attack surface and allows unauthorized tampering with performance history and state integrity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to configure API keys and use network-connected trading and AI services, but it does not clearly warn that these credentials are sensitive or that trading/market data may be transmitted to third-party endpoints. In a bot handling exchange-like and wallet-linked credentials, missing disclosure increases the chance of accidental secret exposure and uninformed data sharing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill promotes fully automated real-money, on-chain trading but does not prominently warn users about financial loss, wallet exposure, or live-order execution. In this context, omission of explicit risk disclosure can cause users to run the bot against real funds without understanding the consequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quick-start instructions take the user directly from setup to bot launch without any checkpoint to verify wallet addresses, API keys, network, market, or whether live trading is enabled. For an automated trading bot, this increases the chance of accidental real-money execution, wrong-account use, or misconfigured external API access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The interface exposes a switch to a 'real account' and a trading toggle without any visible warning, confirmation, or friction about financial risk or live execution impact. In a real-money trading context, weak UX safeguards can cause accidental activation of live trading, especially when both simulation and real modes coexist in the same console.

Missing User Warnings

High
Confidence
96% confidence
Finding
The quick-trade control explicitly states it can trade in virtual SIM or real USDC, yet the execution button lacks a strong warning, confirmation dialog, or clear default-safe mode. In a financial trading interface, one-click execution with ambiguous environment selection materially increases the risk of accidental real-money orders and user harm.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The UI can send a live external trade request as soon as the action is triggered, without a confirmation dialog, risk warning, or prominent indication that real trading is about to occur on a third-party service. In a trading context, the absence of a final confirmation materially raises the chance of accidental execution and unintended financial exposure.

Missing User Warnings

High
Confidence
98% confidence
Finding
This function places real-money orders programmatically without any interactive confirmation, explicit user acknowledgment, or in-code safety interlock. In a skill that manages wallet keys and executes chain trades, autonomous order placement substantially increases the risk of unintended financial loss from bugs, prompt issues, or manipulated inputs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script uses `pkill -f "status_server.py"`, which terminates any process whose command line matches that string, not just the panel instance started by this skill. In a shared environment, this can kill unrelated processes and cause denial of service or operational disruption, especially because it runs without confirmation and without validating ownership via the stored PID file.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Public API endpoints expose wallet-linked positions, trades, and orders for the configured real account without authentication. While the underlying wallet data may be publicly derivable from blockchain-related services, this server aggregates and republishes it in an easy-to-query format, materially lowering the effort required to profile the operator's activity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal