ClawHub

Polymarket Optimizer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Polymarket optimizer, but it needs Review because it can automatically change trading parameters and its setup guidance expands privilege and secret exposure.

Install only if you intentionally want an unattended optimizer to change future Polymarket executor behavior. Use paper mode first, back up learned_config.json, review optimizer_log.jsonl, replace the Telegram chat ID with your own placeholder/secret handling, and avoid the root systemd/shared .env setup; prefer a non-root service account and a minimal dedicated credentials file or disable Telegram reporting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill metadata appears inconsistent with the capabilities described in the document: it reads and writes workspace files, accesses environment variables, and makes network requests, yet the static finding indicates permissions are not properly declared in the expected permission model. That mismatch can cause operators to trust an incomplete security boundary and deploy a skill with broader effective access than intended.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose understates operational behavior by omitting Telegram reporting, additional file reads, and persistent logging. This is dangerous because reviewers may approve the skill for local optimization use while overlooking data egress and expanded data handling, which increases privacy and change-management risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The optimizer's stated purpose is local metrics/config optimization, yet it includes a built-in outbound messaging channel that sends operational trading data to Telegram. In this context, that creates an unnecessary exfiltration path for portfolio health, returns, and readiness signals, increasing privacy and operational security risk if enabled without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Reading Telegram credentials from environment variables is not inherently malicious, but in a skill whose declared role is only optimization, it expands capability into external communications without clear necessity. That capability makes accidental or unauthorized transmission of sensitive trading telemetry more likely in deployment environments where such secrets are already present.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes a real-looking Telegram chat ID and demonstrates placement of a bot token in a shared configuration block without any warning about secret handling. In the context of an automated trading optimizer running in a VPS/workspace environment, this increases the chance that operators copy sensitive credentials into logs, screenshots, repos, or shared docs, enabling bot abuse or unauthorized message delivery.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly states that the optimizer runs on a schedule and automatically adjusts learned_config.json, but it does not warn users that runtime trading behavior will be modified without manual review. In a trading context, silent automated config changes can materially alter capital allocation, thresholds, and execution cadence, increasing the risk of unsafe or unexpected behavior if the optimizer logic is flawed, manipulated, or fed bad metrics.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The markdown explicitly promotes unattended execution that modifies configuration files and sends external reports, but does not clearly warn users about automatic state changes or outbound transmission. In an agent ecosystem, silent autonomous modification of trading parameters can have material financial consequences, especially when tied to cron execution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly configures the service to run as root while loading secrets from a host .env file, creating an unnecessary high-privilege execution path for code that appears to be part of an agent skill. If the optimizer code, container, or referenced environment file is compromised, an attacker could gain access to sensitive credentials and potentially leverage root-owned automation on the VPS.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically sends a report containing capital, returns, win rate, trade counts, and live-readiness status to Telegram with no prompt or explicit warning at execution time. In a trading system, those details are operationally sensitive and could expose strategy performance or account posture to unintended recipients if credentials are misconfigured or reused.

Ssd 3

Medium
Confidence
95% confidence
Finding
The file exposes live-looking messaging configuration values in plain text examples, especially a specific chat identifier that appears operational rather than illustrative. Because this skill is part of an automated trading ecosystem with scheduled cron execution and Telegram integration, realistic credentials in docs can facilitate misdelivery, social engineering, or token targeting if copied verbatim or if the values are genuine.

External Transmission

Medium
Category
Data Exfiltration
Content
network_behavior:
      makes_requests: true
      endpoints_allowed:
        - "https://api.telegram.org/bot*"
      requires_credentials: false
      uses_websocket: false
    security_level: "L1 - Read/Write local files only"
Confidence
89% confidence
Finding
https://api.telegram.org/

Credential Access

High
Category
Privilege Escalation
Content
User=root
WorkingDirectory=/docker/openclaw-yyvg

# Load credentials from Wesley's .env
EnvironmentFile=/docker/openclaw-yyvg/.env

# Run inside OpenClaw Docker container
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
WorkingDirectory=/docker/openclaw-yyvg

# Load credentials from Wesley's .env
EnvironmentFile=/docker/openclaw-yyvg/.env

# Run inside OpenClaw Docker container
ExecStart=/usr/bin/docker exec openclaw-yyvg-openclaw-1 \
Confidence
95% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal