ClawHub

Polymarket Arbitrage Cn

Security checks across malware telemetry and agentic risk

Overview

The skill appears aimed at legitimate prediction-market arbitrage monitoring, but its monitor script exposes a serious command-injection risk and the package under-discloses its local execution, file, network, and optional alerting behavior.

Install only if you are comfortable reviewing and fixing the monitor script first. Do not pass untrusted values to command-line options, avoid webhook URLs that contain secrets unless alert payloads are documented, and treat any financial execution language as unverified until the source clearly shows whether it only monitors or can place trades.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"[{datetime.now().strftime('%H:%M:%S')}] {description}", file=sys.stderr)
    
    try:
        result = subprocess.run(
            cmd,
            shell=True,
            capture_output=True,
Confidence
96% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=60 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs users to run Python scripts that read and write local files, access the network, and execute shell commands, yet the manifest declares no permissions. This creates a transparency and consent problem: users and hosting systems cannot accurately assess the skill's capabilities before use, increasing the chance of unintended file changes, network access, or command execution.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The manifest frames the skill as discovering arbitrage opportunities, but the documentation claims it can 'find and execute' them. This mismatch can mislead users or orchestration systems into believing the skill has trading or transaction capabilities it may not actually have, which is especially sensitive in a financial context where execution implies wallet access, funds movement, and higher-risk automation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The monitor has broader command-execution capability than needed because it shells out to other Python scripts through the system shell. In an agent skill context, unnecessary shell access increases attack surface and makes argument injection or environment manipulation significantly more dangerous than direct function calls or non-shell subprocess invocation.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger terms include broad, common words such as 'Polymarket,' '预测市场,' '套利,' and 'arbitrage,' which could cause accidental invocation during ordinary discussion. Unintended activation is more concerning here because the skill leads users toward running network-enabled scripts and processing market data, potentially causing unwanted actions or confusion in financial workflows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation encourages sending opportunity data to an external webhook but does not explain what information may be transmitted, who receives it, or the privacy and security implications. Even if the payload seems limited, market activity, monitoring behavior, or embedded secrets in webhook URLs can leak to third-party services or logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal