ClawHub

Polymarket Aionmarket Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed trading skill, but it asks an agent to handle live trading credentials and an optional wallet private key without strong confirmation or secret-handling safeguards.

Install only if you trust the publisher and have independently verified the Aionmarket endpoint. Prefer pre-signed orders or scoped, revocable credentials over sharing a wallet private key, and require explicit approval for each live order with the exact market, side, size, price, and order type before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The template explicitly asks users to provide multiple highly sensitive secrets, including API credentials and a wallet private key, in a general trade request workflow without any warning, minimization guidance, or safer alternative. In this skill context, that is especially dangerous because these secrets enable direct asset movement and account access, so mishandling or logging them could lead to immediate financial loss and account compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reference explicitly instructs users to register highly sensitive credentials, including bearer API keys and Polymarket API secrets, but only says not to store secrets in repository files at the end. In a trading skill that may prompt users to provide wallet-related credentials, the lack of strong handling guidance, minimization requirements, and warnings against exposing secrets to logs, prompts, or persistent agent memory increases the risk of credential leakage and account compromise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This documentation explicitly shows live wallet credential registration using Polymarket API key, secret, and passphrase, and also directs users toward live trade submission paths, but it does not include any warning about the sensitivity of these credentials, secure handling expectations, or the financial consequences of execution. In the context of an agent skill that may process wallet private keys and trading instructions, omission of these warnings materially increases the risk of credential exposure, accidental live trading, and unsafe operational use.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal