ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

polymarket-predictradar-news-impact-skills

v1.0.0

Breaking news + Polymarket market correlation analysis. Scan today's major news and track its impact on prediction market probabilities, or find all related...

0· 64·0 current·0 all-time
byYeri@cnica
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated goal (map news → Polymarket market impacts) matches the SQL and API-style queries in SKILL.md. However the instructions explicitly require code from a different skill (../../polymarket-data-layer/scripts/mcp-client and gamma-client) while the skill metadata declares no dependency — an undeclared dependency on another skill's internals is an inconsistency.
!
Instruction Scope
SKILL.md tells the agent to require and use other skill scripts by relative path. That means the agent will attempt to read/execute code outside this skill's own files, which can reveal or reuse secrets, internal client logic, or privileged database access. The instructions also call for WebSearch, Polymarket searches and DB queries; those are fine for the purpose but the file-system access of another skill is scope creep.
Install Mechanism
This is an instruction-only skill with no install spec or downloaded code, so it does not itself install arbitrary binaries — low install risk. The risk comes from runtime interactions with other skills, not from an installer.
!
Credentials
The skill declares no env vars or credentials, but the mcp/gamma clients it instructs to use almost certainly rely on database/API credentials or tokens (not declared here). That mismatch means the skill assumes implicit access to credentials via the referenced polymarket-data-layer or the agent environment; required secrets are not documented or scoped.
Persistence & Privilege
The skill does not request permanent presence (always:false) and has no install steps that persist artifacts. The main privilege concern is the instruction to load other skill files at runtime, but it does not request to modify other skills or agent-wide settings.
What to consider before installing
Before installing or enabling this skill: 1) Confirm that a trusted polymarket-data-layer skill exists in your agent environment and inspect its code (mcp-client/gamma-client) to see what credentials or DB access it exposes. 2) Ask the skill author to declare dependencies and any required credentials (API keys, DB access) explicitly — a skill should not rely on implicit access to another skill's internals. 3) If you enable it, run it in a sandboxed agent or with limited permissions until you verify it only accesses expected Polymarket data endpoints. 4) If you cannot inspect polymarket-data-layer, treat this skill as higher-risk and avoid granting autonomous invocation or broad environment privileges.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aepnn9ae12tmy1mw4w4e54s843fcx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments