ClawHub

Polymarket Copy Size Conviction Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket copy-trading skill that defaults to paper trading and only places real trades when run with an explicit live flag.

Install only if you are comfortable providing a Simmer API key for a trading workflow. Start in paper mode, keep position limits low, review logs and signals before using --live, and revoke or restrict the API key if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation indicates capability to use environment variables and external network access (`SIMMER_*` env vars, leaderboard scraping, on-chain trade fetching, Simmer API interaction), but no explicit permissions are declared. In an agent platform, undeclared sensitive capabilities reduce transparency and can cause users or orchestrators to authorize a skill without understanding that it can read secrets and perform external requests.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly supports live trading (`No --live flag = simulated trades`) and says it can 'Execute or paper-trade', but it does not clearly warn that enabling live mode can place real-money orders using user funds. In a trading skill, that omission is especially dangerous because a user may treat `--live` as a routine mode toggle without understanding that it can trigger irreversible financial transactions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal