ClawHub

Polymarket Micro Weather Sniper Trader

Security checks across malware telemetry and agentic risk

Overview

This automated trading skill is purpose-aligned, but it needs review because live trades can be justified with misleading weather-source provenance.

Review before live use. Keep it in paper mode unless you intentionally want real USDC trades, protect SIMMER_API_KEY as a financial credential, set conservative position limits, and require accurate provider tracking before relying on its trade reasoning or audit logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code uses wttr.in as a third fallback provider even though the skill description only discloses NOAA and Open-Meteo. In a trading skill, undisclosed data sources matter because they can materially affect decisions, reliability, privacy posture, and auditability; operators may believe they are relying on a narrower trust boundary than they actually are.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The logging labels all forecasts as NOAA even though the code may be using Open-Meteo or wttr.in. This creates misleading provenance during monitoring, debugging, and incident review, which is especially risky in an automated trading context where users may trust trades based on the stated source quality and expected methodology.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Trade reasoning and signal_data hardcode NOAA as the signal source even when fallback providers may have supplied the forecast. This can poison downstream audit trails and risk controls that rely on source metadata, causing users or systems to over-trust trades based on incorrect assumptions about model accuracy and data provenance.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal