ClawHub

Polymarket 交易助手

Security checks across malware telemetry and agentic risk

Overview

This is a mostly transparent Polymarket trading toolkit, but it can autonomously place real-money trades, use wallet private keys, cancel live orders, and persist trading records without consistently scoped user controls.

Install only if you intentionally want an agent-assisted Polymarket trading toolkit. Use dry-run or paper mode first, avoid the danger auto-trade skill unless unattended live trading is explicitly desired, use a dedicated low-balance wallet, protect PRIVATE_KEY and CLOB credentials, review cancel-all behavior, and expect local ~/polymarket-* files to retain trading history and monitoring data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (37)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill’s documented behavior extends beyond executing trades by instructing writes to a local portfolio state file. That creates an additional mutable state side effect that may drift from the authoritative exchange state, be tampered with locally, or be triggered unexpectedly by upstream orchestrators, increasing the chance of incorrect portfolio decisions or unsafe automation.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation claims the skill returns script JSON directly, but also specifies an automatic `cancelAll()` on execution errors, which is a hidden destructive side effect. In a real-money trading context, implicit cancellation can silently remove unrelated live orders and materially alter market exposure without a clear user instruction or confirmation.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The comment says stale points should be rejected, but the function always returns the closest point even when it is far from the requested timestamp. In a trading-monitoring skill, this can cause materially stale data to be treated as fresh, leading to incorrect price-change calculations, false alerts, or bad downstream trading decisions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill goes beyond transient analysis by instructing the agent to create `~/polymarket-reports`, write full reports, and append recommendation history locally. Persistent storage of trading recommendations and analysis artifacts is a data-minimization and privacy risk because it creates an unnecessary durable record on the host that may expose user interests, trading intent, or sensitive research context.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Maintaining a long-lived `recommendation-history.md` archive is not required to fulfill a one-shot market-pulse skill and expands the skill's access to local state over time. This increases privacy and cross-session data accumulation risk, and can unintentionally retain sensitive financial recommendations or behavior patterns beyond the immediate task.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill advertises that paper trading does not require a wallet, yet the manifest declares PRIVATE_KEY as required unconditionally. This can cause unnecessary collection or exposure of a highly sensitive credential even when the feature being used does not need it, increasing the blast radius of accidental leakage or misuse.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module documentation states that live trading mode queries the CLOB API for actual order status, but the implementation always calls `check_paper_fill(order)` regardless of mode. In a trading skill, this can misrepresent whether live orders were filled, canceled, or still open, leading downstream automation or operators to make incorrect portfolio and risk decisions based on fabricated paper-trading assumptions rather than real exchange state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file explicitly promotes a 'danger-auto-trade-polymarket' mode with '无需确认' and shows a direct path from dry-run to live automatic trading, but it does not clearly warn about real-money loss, wallet impact, or irreversible transactions. In the context of prediction-market trading, users could enable live execution without understanding that funds may be spent automatically and positions changed immediately.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This skill is explicitly designed for non-interactive real-money trading and order cancellation, yet the description lacks a prominent warning that actions may be financially irreversible or destructive. In an orchestrated agent environment, that omission increases the risk that users or other skills invoke it casually, leading to unintended trades, losses, or mass order cancellation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The metadata requires a wallet private key and related signing configuration but does not prominently warn that these are highly sensitive credentials that can enable direct asset control. In a skill ecosystem, documenting such secrets without strict handling guidance raises the risk of accidental exposure, unsafe storage, logging, or misuse by downstream tooling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reference explicitly shows constructing a wallet signer from a raw private key and deriving API credentials, but provides no guidance on secret handling, storage, redaction, or safe injection methods. In a trading skill, this omission can lead downstream agents or users to embed sensitive keys in prompts, code, logs, or config files, causing credential theft and unauthorized trading.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document gives direct examples for placing market/limit orders and canceling orders, but does not warn that these actions can execute real trades, incur losses, or alter live positions. In the context of an AI trading toolkit, this increases the risk that an agent or user treats the examples as safe read-only operations and triggers unintended financial activity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to store a raw wallet private key in a plaintext local environment file and even explains how to export it from a wallet. Although it includes some basic hygiene advice, this still creates a real secret-handling risk because compromise of the file, backups, terminal history, or developer workstation would allow irreversible theft of funds and unauthorized trades.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to modify `~/polymarket-reports/recommendation-history.md` by changing status values, but it does not warn the user up front that their existing data will be edited. This creates a real integrity risk: an automated or mistaken update could overwrite historical records, corrupt audit trails, or misstate trading outcomes, especially if matching or resolution logic is wrong.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill directs the agent to create a new Markdown report under `~/polymarket-reports/` without an up-front notice that a file will be created. While lower risk than modifying an existing file, silent file creation can still surprise users, clutter storage, and leak sensitive trading analysis into a persistent location they did not intend to use.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description includes broad triggers such as 'evaluate performance', 'review returns', and 'analyze P&L', which can match many generic finance-analysis requests rather than only Polymarket recommendation backtesting. This can cause the agent to invoke a skill that reads local report files, performs network calls, and updates recommendation history in contexts where the user did not clearly request those actions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document describes operational modes that can execute real buy, sell, or rotate actions, but it does not prominently warn that these modes may place live orders and affect real funds and positions. In a trading skill, this omission increases the risk of operator misunderstanding and accidental financial loss, especially because the document also encourages progressive transition from dry-run to live usage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports Telegram and email alerts for wallet positions and market activity, but it does not warn users that these notifications may expose sensitive trading behavior, wallet associations, and monitoring targets to third-party providers. In a trading-monitoring context, that data can reveal portfolio strategy and surveillance interests, which may create privacy and operational-security risk even if no exploit code is present.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell users to place CLOB API credentials in a local config file but do not include guidance on secret hygiene such as file permissions, avoiding source control, or preferring environment variables/secret stores. Because these credentials enable authenticated order monitoring and are tied to trading infrastructure, accidental exposure could let an attacker access sensitive account data or abuse the API context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
该文档直接示例了用钱包私钥初始化客户端并派生 API 凭证,但没有任何关于私钥、派生出的 secret/passphrase、环境变量存储、日志脱敏或最小暴露面的安全提示。对于面向交易工作流的技能,这会明显增加使用者把真实私钥硬编码到脚本、提交到仓库、复制到聊天上下文或日志中的风险,进而导致账户与资金被盗用。

Missing User Warnings

Low
Confidence
84% confidence
Finding
The instructions tell users to query Telegram's getUpdates endpoint to retrieve chat metadata, but they do not explicitly warn that bot tokens and chat identifiers are sensitive and should not be exposed in logs, screenshots, or shared terminals. While this is a common setup step, omitting privacy guidance can lead to inadvertent disclosure of messaging metadata or bot control credentials.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill instructs the agent to launch a long-running monitor that continuously persists state and reports to a default directory under the user's home folder, but it does not prominently warn the user before doing so. In an agent setting, undocumented background or repeated local writes can create privacy, disk-usage, and data-retention risks, especially if alert logs or scraped market/source data accumulate over time.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill instructs the agent to persist monitoring state and reports under ~/polymarket-tracking/ and optionally write alert logs, but it does not explicitly warn the user before creating local files. This can lead to unexpected disk writes, privacy surprises, and accumulation of potentially sensitive market-tracking artifacts, especially during continuous monitoring.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger text includes broad phrases such as Polymarket trading, market analysis, market pulse, position management, and automated trading without strong boundaries, which can cause the skill to activate in contexts the user did not intend. In an agent setting, over-broad activation is dangerous because it may lead to unsolicited trading-oriented actions, external data fetching, or local file writes from ambiguous prompts.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description is broad enough that the skill could be auto-invoked for generic recommendation or market-opportunity queries, causing it to act in contexts where the user did not specifically request Polymarket trading analysis. In this skill, that matters because invocation can lead to downstream web access, trading analysis, and file-writing behavior, increasing the chance of unintended sensitive actions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal