ClawHub

Polymarket Copy Profit Taker Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed automated trading skill, but one documented safety boundary for live trading is not enforced in code.

Install only if you are comfortable reviewing an automated trading strategy. Keep it in paper mode first, use a tightly scoped and conservatively funded Simmer API key, and do not enable --live until the rotation timing logic has been audited or fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill’s stated purpose is to mirror whale profit-taking rotations, but the fallback block places trades on generic probability thresholds for accumulating markets even when no validated rotation exists. In a live trading context, this expands execution beyond the advertised strategy boundary and can cause unintended real-money trades based on weaker, less specific signals.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The docstring says rotations are detected only when exit and entry occur within a configured time window, but the implementation never actually checks timestamps when pairing exits and entries. This can generate false rotation signals from unrelated historical trades, leading to incorrect decisions and potentially unsafe live trades.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mentions paper mode by default and references a '--live' flag, but it does not clearly and prominently warn that enabling live mode will place real-money trades using the user's API key/account. In a trading skill, ambiguous disclosure is especially risky because a user can unintentionally transition from simulation to financially binding actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal