ClawHub

polymarket-predictradar-news-impact-skills

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only Polymarket news analysis helper with disclosed web search and market-data queries, and no evidence of hidden persistence, credential use, mutation, or exfiltration.

Install this only if you want an agent to connect current news with Polymarket data. Review the separate polymarket-data-layer dependency before use, and expect the agent to run web searches and read market/trade data, including public wallet-address trade summaries, when relevant prompts are invoked.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match ordinary news-related queries, which can cause the skill to activate when the user did not intend Polymarket/news-correlation analysis. In an agent environment, over-broad activation can route user input to web search and market-analysis flows unnecessarily, increasing the chance of irrelevant data access, confusion, and unintended tool use.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The instruction to translate keywords to English without user opt-in can alter user-provided meaning, names, or nuance, especially for multilingual or politically sensitive topics. While not a direct code-execution issue, it creates integrity and privacy risks by transforming user content before search, which may produce incorrect market matches or mis-handle user language expectations.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal