Polymarket Arbitrage Cn
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: polymarket-arbitrage-cn Version: 1.0.0 The skill bundle is classified as suspicious due to a critical shell injection vulnerability in `scripts/monitor.py`. The `subprocess.run` calls use `shell=True` with command strings that incorporate user-controlled arguments like `--data-dir` and `--min-edge`. This allows an attacker to inject arbitrary shell commands, leading to remote code execution. While the `--alert-webhook` parameter allows for external data transmission, the current code does not implement the actual HTTP request for alerts, only printing a message, and its stated purpose is legitimate alerting. The shell injection is a severe vulnerability, but it appears to be an unintentional flaw rather than intentional malicious design.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user passes an untrusted or malformed data directory, the script could run unintended commands on the user's machine.
The monitor builds shell command strings using user-controllable path values such as --data-dir, then runs them with shell=True and no quoting. A crafted path containing shell metacharacters could cause arbitrary local command execution when the monitor runs.
subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60) ... parser.add_argument('--data-dir', default='./polymarket_data' ... ) ... fetch_cmd = f"python3 {script_dir}/fetch_markets.py --output {markets_file} --min-volume 50000"Replace shell=True string commands with subprocess.run([...], shell=False), validate or quote paths, and avoid accepting data-directory values from untrusted text.
A Telegram or similar webhook token could be revealed to anyone who can see command output or stored logs.
The script accepts a webhook URL for alerts and prints the full value to stderr. The SKILL.md example uses a Telegram-style URL that can contain a bot token, so this can expose credentials in logs or agent transcripts.
parser.add_argument('--alert-webhook', type=str, help='Webhook URL for alerts') ... if webhook_url: print(f"[ALERT] Would send to webhook: {webhook_url}", file=sys.stderr)Do not print full webhook URLs; mask tokens, treat alert endpoints as secrets, and declare any supported webhook credential handling clearly.
Future package changes or a compromised local Python environment could affect what code runs.
The skill instructs users to install Python packages from PyPI without pinned versions or hashes. This is purpose-aligned for the scripts, but dependency provenance and repeatability are not locked down.
pip install requests beautifulsoup4
Install in a virtual environment and prefer pinned, reviewed dependency versions.
The script may keep making periodic network requests and writing local state until stopped.
The skill supports a long-running monitoring loop and local state files. This is disclosed and aligned with the monitoring purpose, but users should start it intentionally and know how to stop it.
python scripts/monitor.py --interval 300 --min-edge 3.0 ... Stop with `Ctrl+C` ... Saves state to `polymarket_data/`
Run continuous monitoring only when explicitly needed, use --once for one-time scans, and stop the process when finished.