ClawHub

polymarket-predictradar-data-layer-skills

Security checks across malware telemetry and agentic risk

Overview

This is mostly a legitimate market-data helper, but it needs review because it disables HTTPS certificate checks and exposes broad query/tool access beyond a tightly enforced read-only boundary.

Install only if you are comfortable with a networked market-data tool that sends queries and API-key headers to configured endpoints and caches trader/market data locally. Prefer fixing the Gamma TLS settings before relying on reports, keep MCP_URL pointed at a trusted service, avoid using sensitive private API keys, and validate wallet inputs before reusing the SQL examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises no explicit permissions, yet its documented behavior clearly relies on environment variables and outbound network access. That gap is dangerous because downstream users or orchestrators may treat the skill as low-risk/read-only while it can still transmit data externally and consume credentials implicitly.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The description frames the skill as a shared read-only data layer, but the documented components include local cache mutation and smart-money classification/enrichment workflows that go beyond passive retrieval. This mismatch is risky because operators may approve or compose the skill under false assumptions, enabling filesystem writes and behavioral profiling logic that were not clearly disclosed.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The fallback guidance expands a read-only data layer into local subprocess execution by invoking a host-installed CLI. Even though `execFileSync` with an argument array reduces command-injection risk, it still causes the agent to execute a local binary whose presence, provenance, version, and behavior are outside the skill's control, increasing attack surface and violating least privilege for a shared data-access component.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The client is explicitly configured to use a proxy, but on proxy failure it silently retries with a direct TLS connection. In environments where the proxy is a security boundary for egress control, logging, DLP, or policy enforcement, this allows traffic to bypass intended monitoring and restrictions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is advertised as a read-only market intelligence layer, but it exports generic `rpc` and `callTool` primitives that allow callers to invoke any MCP method or backend-exposed tool, not just the documented safe read-only ones. If the backend later exposes state-changing or privileged methods, downstream users of this skill can bypass the intended safety boundary and perform actions outside the declared scope.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The module includes `cancelQueryStream`, which issues an HTTP DELETE to terminate a server-side stream despite the skill being described as read-only. Even if this does not modify market data, it is still a state-changing administrative action that can disrupt active exports or consume/cancel shared resources contrary to the advertised trust model.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code documents `query` as 'preview-only' and 'read-only' but forwards arbitrary SQL directly to the backend via `run_query_preview` without any client-side validation or restriction. If the backend tool is misconfigured, overly permissive, or later changed, callers can submit mutating or dangerous SQL through a function that consumers may trust as safe because of the documentation.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The streaming query path has the same mismatch: it claims read-only semantics yet `openQueryStream` forwards arbitrary SQL to `open_query_stream` with no enforcement. This creates a broader attack surface because large or long-running arbitrary queries can be executed under the guise of a safe export feature, and if write-capable SQL is accepted by the backend the stream interface becomes another path to unauthorized operations.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script interpolates the user-supplied wallet address directly into a SQL string inside the WHERE clause. An attacker who can control the address argument could inject SQL syntax to alter predicates, exfiltrate broader data than intended, or potentially reach dangerous database behavior depending on how mcp.query is implemented and what the backend permits.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation provides and normalizes an API key value and encourages use of it without any warning about secret handling, scoping, or transmission to third-party infrastructure. Even if the shown key is public/low-privilege, this pattern trains users to embed credentials in skill docs and can lead to accidental reuse of sensitive keys or unreviewed outbound authentication.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The examples perform both local process execution and outbound network access without requiring any user-facing disclosure or consent. In an agent environment, silent side effects like contacting external services or invoking host binaries can leak sensitive inputs such as wallet addresses, surprise operators, and bypass expectations that a shared read-only skill only uses its primary MCP backend.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Setting rejectUnauthorized: false disables TLS certificate validation for direct Gamma API connections, allowing a man-in-the-middle with network position or a hostile proxy/network device to impersonate the API endpoint. That can lead to silent tampering with market data, response spoofing, and loss of confidentiality for requests and responses.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
TLS validation is also disabled for the proxied CONNECT tunnel, so even when traffic goes through the proxy the client does not authenticate the remote Gamma endpoint. This permits interception or modification by a malicious proxy, compromised corporate appliance, or attacker with network access, undermining the integrity of read-only market intelligence consumed by other skills.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The address comes from process.argv and is inserted verbatim into the query without sanitization, escaping, or any warning that this path is unsafe. In the context of a data-access skill that advertises read-only market intelligence, this makes the issue more concerning because consumers may assume the helper is safe and reuse the pattern elsewhere, turning a simple inspection example into an injection primitive.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal