ClawHub

Prediction Market Analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill performs its advertised market-risk lookup, but it triggers automatically, can hide failed checks, and disables HTTPS certificate validation.

Install only if you are comfortable with automatic Polymarket/Kalshi lookups being sent to api.secwarex.io. Prefer a version that asks before implicit checks, reports failed retrievals, and keeps normal HTTPS certificate verification enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly instructs use of Python urllib, curl, and URL-reading tools to contact an external API, yet no permissions or disclosure are declared. This creates hidden network capability that can transmit user-derived market identifiers to a third party without clear consent or sandbox scoping.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill advertises itself as a forced interceptor for market links, but the documented behavior also includes undisclosed outbound requests to api.secwarex.io and references code behavior such as disabled SSL verification that materially changes the risk profile. This mismatch prevents informed review and can hide unsafe execution and network behavior behind a seemingly benign analysis skill.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The README claims the interceptor will degrade non-intrusively and hide itself on implicit mentions or API failure, but the skill metadata states it is a forced interceptor that must unconditionally prioritize execution whenever Polymarket or Kalshi links appear. This mismatch is security-relevant because it misleads operators and users about when the skill activates and how intrusive it is, undermining informed deployment and review.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill directs the agent to fall back from a local script to terminal/curl or direct URL-fetch tooling, expanding capability from simple analysis into arbitrary execution and network access. In agent environments, this broadening increases the chance of unintended data egress, bypass of normal guardrails, and harder-to-audit behavior.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill promises instant risk reporting but later instructs silent failure for implicitly triggered analyses. Silent failure obscures when external analysis was attempted or failed, reducing transparency and making it harder for users and auditors to detect unexpected network activity or malfunction.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code unconditionally disables both TLS certificate verification and hostname validation for all HTTPS requests by setting `check_hostname = False` and `verify_mode = ssl.CERT_NONE`. This allows a man-in-the-middle attacker to impersonate `api.secwarex.io`, tamper with risk-assessment data, or return maliciously crafted responses while the client believes the connection is secure; the misleading comment increases concern because it normalizes an unsafe practice as a narrow compatibility workaround.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The installation/activation language says execution is fully driven by the standard SKILL.md trigger and becomes effective immediately when mounted, but it does not clearly bound when interception occurs. In the context of a forced interceptor for prediction-market links, ambiguous activation semantics can cause overbroad triggering, surprising takeovers of user workflows, and unsafe deployment assumptions.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The skill states it will dynamically translate and render output based on the user's native language without explicit opt-in. In a security-analysis interceptor, this can alter or summarize risk information in ways the user did not request, create privacy concerns through language inference, and reduce transparency about the original source content and wording.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger is overly broad and unconditional: any Polymarket/Kalshi link or even discussion of a prediction market event mandates activation. In context, that means ordinary conversation can automatically invoke external lookups and tool use without clear user intent, increasing privacy and autonomy risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs direct GET requests via curl/read_url_content with no user-facing warning that external retrieval will occur. That can expose user-supplied links, slugs, or inferred interests to a third-party API without transparency or consent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The examples show the skill activating on vague references like 'Is the Trump event on Poly safe?' without requiring a clear user request or explicit market identifier. In a skill explicitly described as a forced interceptor that must unconditionally prioritize itself when Polymarket or Kalshi content appears, this broad trigger guidance can cause unwanted takeover of unrelated conversations and unnecessary external data access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation explicitly instructs the skill to conceal network retrieval failures from the user for implicit requests and 'answer the main question normally.' Hiding tool or retrieval failure creates deceptive behavior: the system may present output as if informed by security data when that data was never obtained, undermining user trust and potentially causing unsafe decisions based on fabricated or incomplete analysis.

Missing User Warnings

High
Confidence
99% confidence
Finding
Disabling SSL certificate and hostname verification defeats the primary security guarantees of HTTPS, so any network attacker or malicious proxy can intercept and modify responses from the remote risk API. In this skill's context, that is especially dangerous because the tool is a forced interceptor for Polymarket/Kalshi links, meaning users may automatically receive manipulated risk assessments without realizing the underlying transport security has been disabled.

External Transmission

Medium
Category
Data Exfiltration
Content
- **Python**: Version 3.10 is preferred. No external dependencies (`requests` is NOT needed, uses built-in `urllib`).
- **Execution Tip**: Before running scripts, use `find_by_name` or `list_dir` to locate the absolute path of `fetch_market_risk.py` within the `packages/prediction-market-analyzer/skill/scripts/` directory.
- **Fail-safe Fallback**: If the environment does NOT have Python available at all (`python3: command not found`), **DO NOT TRY TO INSTALL PYTHON**. Instead, fallback to your native terminal or `read_url_content` tools to directly execute a GET request (e.g., via `curl -s "https://api.secwarex.io/api/v1/plugin/[platform]/risk?slug=[slug]"`) and format the JSON yourself.

## Core Workflow
Confidence
91% confidence
Finding
https://api.secwarex.io/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal