ClawHub
Back to skill

Security audit

Polymarket Bundle Overwatch Bo3 Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading skill that defaults to paper trading and only makes live trades when explicitly run with a live flag.

Install only if you intend to use a financial trading bot. Keep it in paper mode first, protect `SIMMER_API_KEY` like a trading credential, set conservative position limits, and do not treat the strategy as guaranteed or risk-free, especially when no Game 3 market exists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill explicitly requires a high-value credential (`SIMMER_API_KEY`) and describes live trading capability, but the metadata does not declare corresponding permissions. That mismatch is dangerous because it obscures the true privilege boundary of the skill, reducing review visibility and increasing the chance an operator grants sensitive execution capability without informed consent.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill description/comments present the BO3 relationship as mechanically consistent from Game 1 and Game 2 prices, but the implementation substitutes a default 50% Game 3 probability when no Game 3 market exists. That can generate systematically wrong 'arbitrage' signals and cause the bot to place real trades on a false premise, especially in live mode where the edge is not actually risk-free.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal