ClawHub

Polymarket Executor

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading bot, but live mode can autonomously place real-money trades and the artifacts include under-scoped persistence, credential, and alerting patterns users should review carefully.

Install only if you intentionally want an autonomous financial trading bot. Keep PAPER_MODE=true until you have independently reviewed results, remove or explicitly set the Telegram chat destination, avoid running it as root, use a dedicated low-balance wallet/API key, add single-instance protection, and require human approval or strict caps before enabling live trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is described as a trading bot, but the documented behavior materially expands into real-money order placement, wallet interaction, persistent local state, and outbound Telegram reporting. That mismatch is dangerous because users or automated approval systems may grant trust based on an incomplete description, leading to credential exposure, unexpected data exfiltration, or unintended financial execution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly instructs users to switch from paper mode to live mode, export API credentials, and run the trading bot with real capital, but it does not provide prominent warnings about financial loss, unintended order execution, credential handling, or the risks of automated autonomous trading. In the context of a bot that scans all markets and can place live trades, this omission can cause users to expose secrets or deploy real money without understanding the operational and security consequences.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The skill instructs operators to use a residential proxy to bypass infrastructure restrictions for live order placement, but it does not explain the legal, policy, privacy, or jurisdictional implications. That creates compliance and abuse risk, and can normalize concealment of origin for financial transactions without informed user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly configures a root-run systemd service to import all variables from a shared .env file, which can expose API keys, wallet credentials, or other secrets to a broader execution context than necessary. In this trading-bot context, those secrets likely control financial operations, so poor secret handling materially raises the risk of credential leakage or misuse.

Missing User Warnings

High
Confidence
98% confidence
Finding
In live mode, the bot places real trading orders automatically whenever its internal heuristics approve an opportunity, with no per-trade confirmation, approval workflow, or last-mile user warning. In an autonomous trading skill handling real funds, this materially increases the risk of unintended financial loss from logic errors, bad market data, poisoned configuration, or strategy misfires.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sudo systemctl status polymarket-executor | grep "Main PID"

# Kill process (simulates crash)
sudo kill -9 <PID>

# Wait 30 seconds, then verify auto-restart
sudo systemctl status polymarket-executor
Confidence
83% confidence
Finding
sudo

Credential Access

High
Category
Privilege Escalation
Content
User=root
WorkingDirectory=/docker/openclaw-yyvg

# Load credentials from Wesley's .env
EnvironmentFile=/docker/openclaw-yyvg/.env

# Run inside OpenClaw Docker container
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
WorkingDirectory=/docker/openclaw-yyvg

# Load credentials from Wesley's .env
EnvironmentFile=/docker/openclaw-yyvg/.env

# Run inside OpenClaw Docker container
ExecStart=/usr/bin/docker exec openclaw-yyvg-openclaw-1 \
Confidence
95% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal