ClawHub

Polymarket Edge Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading automation, but it can run recurring account-affecting actions and auto-redeem positions even when live trading is not enabled.

Install only if you intentionally want recurring financial automation for Polymarket. Start with dry-run in a controlled account, understand that auto-redeem can still change account state, avoid private keys, use limited balances and scoped credentials, and require a code or configuration change to make auto-redeem and live trading separately opt-in before running it on a schedule.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation instructs use of multiple sensitive environment variables, including API keys, wallet identifiers, private keys, and signed order payloads, yet the skill declares no permissions. This creates a capability/permission mismatch: an agent or operator may expose high-value secrets to the skill without any explicit declaration, review boundary, or least-privilege control, which is especially risky in a trading skill that can trigger live financial actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill performs an additional account-affecting action beyond its advertised purpose of trading a queried high-edge market: it automatically redeems resolved positions at the start of every run. Even if redemption is usually beneficial, it changes wallet state without a dedicated user confirmation path, broadens the skill’s authority, and could surprise operators who expected market selection and trade execution only. In this trading-skill context, the behavior is more dangerous because the skill already has access to authenticated account operations, so hidden or bundled actions materially increase operational risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest explicitly supports live order submission via a wallet address and pre-signed order payload, but it does not present any prominent warning that enabling live mode can place real-money trades and affect user funds. In an automated skill that runs on a cron schedule, this omission materially increases the risk of accidental financial loss because users may configure required secrets without understanding that the agent can execute real trades rather than only simulate them.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal