ClawHub

Simmer Resolution Tracker

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly upfront about tracking and redeeming Polymarket positions, but it needs Review because it can run recurring live wallet transactions using local credentials with limited safeguards.

Install only if you intentionally want a recurring automation that can redeem Polymarket positions with your wallet key. Run POLY_MODE=sim first, use a dedicated low-balance wallet, review or remove implicit .env loading, keep DATA_DIR in an app-owned directory, inspect bundled state files before first run, and use Discord webhooks only for private destinations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Tainted flow: 'req' from os.environ.get (line 100, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={"Content-Type": "application/json"},
            method="POST",
        )
        urllib.request.urlopen(req, timeout=10)
    except Exception as e:
        print(f"  ⚠️  Webhook error: {e}")
Confidence
96% confidence
Finding
urllib.request.urlopen(req, timeout=10)

Tainted flow: 'tmp' from os.environ.get (line 179, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_journal(trades):
    tmp = JOURNAL_PATH + ".tmp"
    Path(tmp).parent.mkdir(parents=True, exist_ok=True)
    with open(tmp, "w") as f:
        for t in trades:
            f.write(json.dumps(t) + "\n")
    os.replace(tmp, JOURNAL_PATH)
Confidence
93% confidence
Finding
with open(tmp, "w") as f:

Tainted flow: 'RESOLVED_PATH' from os.environ.get (line 56, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
return
                except Exception:
                    pass
    with open(RESOLVED_PATH, "a") as f:
        f.write(json.dumps(trade) + "\n")
Confidence
93% confidence
Finding
with open(RESOLVED_PATH, "a") as f:

Tainted flow: '_COOLDOWN_PATH' from os.environ.get (line 223, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
s["consecutive_losses"] = 0
        else:
            s["consecutive_losses"] = s.get("consecutive_losses", 0) + 1
        with open(_COOLDOWN_PATH, "w") as f:
            json.dump(state, f, indent=2)
    except Exception as e:
        print(f"  ⚠️  Cooldown update error: {e}")
Confidence
92% confidence
Finding
with open(_COOLDOWN_PATH, "w") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requests and describes capabilities to read environment variables, access the filesystem, use the network, and invoke shell/cron-like execution, but it does not declare permissions. That creates a transparency and sandboxing problem: operators cannot accurately assess or constrain what the skill will access, despite it handling highly sensitive secrets like a wallet private key and transmitting data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior does not fully match the detected behavior: persisting cooldown state and redeeming older redeemable positions goes beyond simply processing newly resolved positions. In a trading/on-chain context, undocumented state tracking and broader redemption sweeps can cause unexpected financial actions, create audit gaps, and make operators approve behavior they did not knowingly authorize.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The skill automatically reads .env from the current directory or the user's home directory, which expands its trust boundary to arbitrary local files unrelated to the stated purpose. In practice this can import attacker-planted configuration or secrets unexpectedly, altering network endpoints, storage paths, and execution mode in a cron context.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The code performs a broad sweep to redeem any redeemable positions, not just the newly resolved winning positions described in the skill metadata. This expands the scope of on-chain actions beyond the declared behavior, increasing the chance of unintended asset operations and making the automation more dangerous if misconfigured or compromised.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises Discord webhook alerts but does not warn that trade resolution details will be sent to a third-party endpoint outside the local environment. This can leak sensitive trading activity, PnL, strategy identifiers, or timing information, which is especially risky for automated trading operations and shared webhook channels.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises Discord webhook alerts but does not warn that trade resolution details will be sent to a third-party endpoint outside the local environment. This can leak sensitive trading activity, PnL, strategy identifiers, or timing information, which is especially risky for automated trading operations and shared webhook channels.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
In live mode the script can trigger on-chain redemptions automatically using the wallet private key, with no explicit confirmation, policy check, or secondary authorization. Because it is intended to run from cron every five minutes, any logic error, bad API response, or malicious environment/config manipulation can repeatedly cause real blockchain actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal