ClawHub

Polymarket Trading Bot

Security checks across malware telemetry and agentic risk

Overview

This is a real-money Polymarket trading skill that is mostly purpose-aligned, but it asks for wallet private-key access and supports lightly guarded autonomous trading.

Review this carefully before installing. Use only a dedicated low-balance wallet, not a primary wallet private key; keep autonomous mode disabled unless you have explicit trade limits and monitoring; verify where Clawdbot stores secrets; and consider pinning dependencies or installing in an isolated environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for name, cmd in checks:
        try:
            subprocess.run(cmd, shell=True, check=True, capture_output=True)
            console.print(f"  [green]✔[/green] {name}")
        except:
            console.print(f"  [red]✘[/red] {name} - NOT FOUND")
Confidence
98% confidence
Finding
subprocess.run(cmd, shell=True, check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Get config
        cmd = ["clawdbot", "config", "get", f"skills.entries.polymarket-agent.env.{key}"]
        try:
            result = subprocess.run(cmd, capture_output=True, text=True)
            console.print(f"[cyan]{key}[/cyan] = {result.stdout.strip()}")
        except Exception as e:
            console.print(f"[red]✘ Failed: {e}[/red]")
Confidence
88% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

Tainted flow: 'cmd' from os.getenv (line 67, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
for name, cmd in checks:
        try:
            subprocess.run(cmd, shell=True, check=True, capture_output=True)
            console.print(f"  [green]✔[/green] {name}")
        except:
            console.print(f"  [red]✘[/red] {name} - NOT FOUND")
Confidence
93% confidence
Finding
subprocess.run(cmd, shell=True, check=True, capture_output=True)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The diagnostic command grants general shell-based execution capability for environment inspection, which is broader than necessary for a prediction-market trading CLI. In an agent ecosystem, excessive tool capability increases blast radius and can be chained with environment manipulation or PATH hijacking to execute unintended code.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The setup UI assures the user that the private key 'never leaves your machine' and is stored securely, but the code forwards the key as an argument to an external CLI process. Even if the CLI is local, command-line arguments may be exposed to process inspection, shell history wrappers, logs, crash reports, or unexpected handling inside that external tool, making the assurance misleading and unsafe for a wallet private key.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is described as an analysis/research agent, but this file exposes direct live-trading functionality and a CLI path that can immediately submit orders to Polymarket. That mismatch is dangerous because users or higher-level agents may invoke it under the assumption it is read-only, causing unauthorized or unintended financial transactions with real funds.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code loads a private trading key from the environment and uses it to derive API credentials and authenticate a trading client, granting the skill the ability to act on a funded account. In the context of a supposedly analysis-focused agent, this expands privilege beyond what users may expect and increases the risk of account misuse if the skill is invoked unintentionally or composed into broader automation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises trading capabilities for an autonomous prediction-market agent but provides no warning that use may trigger real or financially consequential actions. That omission can mislead users into running commands without understanding market, legal, or monetary risk, which is especially concerning given the agent context and the explicit mention of trading functions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad natural-language prompts such as requests about news, balance, or betting, which can unintentionally activate market/account workflows. In a financial skill with shell/network access and trading capability, accidental invocation increases the chance of exposing account information, creating scheduled tasks, or advancing toward order placement without deliberate user intent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly states it may execute trades autonomously if configured, but it does not provide a strong, front-loaded warning about real-funds risk, possible losses, or the consequences of automated execution. In context, this is especially dangerous because the skill is tied to authenticated wallet operations and encourages acting on external news/sentiment signals that may be unreliable or manipulated.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup flow tells users to run installation scripts and `poly setup` to configure a wallet, but it does not warn that sensitive credentials or private key material may be entered, stored, or used for authenticated account actions. This omission can lead users to expose secrets or enable trading capabilities without understanding the security implications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The CLI enables autonomous trading mode with a single config write and no secondary confirmation, despite explicitly stating that trades may occur without confirmation. In a financial trading skill, this materially increases the chance of accidental or coerced high-impact actions, making the context more dangerous than a normal preference toggle.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The place_order function performs a real network-side trade immediately after receiving parameters, with no pre-execution warning, confirmation, sanity checks, or simulation step. In an autonomous agent setting, this makes accidental, maliciously prompted, or mis-parameterized trades much more likely, potentially resulting in direct financial loss.

Unpinned Dependencies

Low
Category
Supply Chain
Content
py-clob-client
requests
rich
questionary
Confidence
95% confidence
Finding
py-clob-client

Unpinned Dependencies

Low
Category
Supply Chain
Content
py-clob-client
requests
rich
questionary
web3
Confidence
99% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
py-clob-client
requests
rich
questionary
web3
typer[all]
Confidence
94% confidence
Finding
rich

Unpinned Dependencies

Low
Category
Supply Chain
Content
py-clob-client
requests
rich
questionary
web3
typer[all]
Confidence
94% confidence
Finding
questionary

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
rich
questionary
web3
typer[all]
Confidence
98% confidence
Finding
web3

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

Known Vulnerable Dependency: web3 — 1 advisory(ies): CVE-2026-40072 (web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling)

Low
Category
Supply Chain
Confidence
84% confidence
Finding
web3

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal