ClawHub

Polymarket Bot

Security checks across malware telemetry and agentic risk

Overview

This is a real Polymarket trading bot, but it needs careful review because it can trade automatically, includes unsafe parsing of remote data, and ships fixed Telegram notification credentials.

Review before installing. Do not run it with a funded wallet until eval() is removed, Telegram credentials are rotated and replaced with your own configuration, the external ai_trader dependency is packaged and reviewed, and live trading is protected by explicit limits, dry-run mode, or manual approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (13)

eval() call detected

High
Category
Dangerous Code Execution
Content
if events and events[0].get('markets'):
                        markets = events[0]['markets']
                        if markets:
                            token_ids = eval(markets[0].get('clobTokenIds', '[]'))
                            if token_ids:
                                # UP = token_ids[0], DOWN = token_ids[1]
                                token_id = str(token_ids[0] if direction == "UP" else token_ids[1])
Confidence
99% confidence
Finding
token_ids = eval(markets[0].get('clobTokenIds', '[]'))

Tainted flow: 'markets' from requests.get (line 270, network input) → eval (code execution)

Critical
Category
Data Flow
Content
if events and events[0].get('markets'):
                        markets = events[0]['markets']
                        if markets:
                            token_ids = eval(markets[0].get('clobTokenIds', '[]'))
                            if token_ids:
                                # UP = token_ids[0], DOWN = token_ids[1]
                                token_id = str(token_ids[0] if direction == "UP" else token_ids[1])
Confidence
100% confidence
Finding
token_ids = eval(markets[0].get('clobTokenIds', '[]'))

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions while documenting capabilities that clearly involve shell execution, network access, and file read/write operations. In an automated trading bot connected to a wallet, this under-declaration is dangerous because it prevents users and enforcement layers from accurately assessing what the skill can do before running it.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior understates the real operational scope by omitting sensitive functions such as Telegram messaging, persistent state/log handling, scraping, and automated position management. This is dangerous because users may authorize a trading-only skill without realizing it also transmits data externally, stores potentially sensitive artifacts, and performs additional automated market actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file is presented as analysis/decision logic but also contains live trading execution via create-order and writes persistent position records. In an agent-skill context, coupling market analysis with irreversible financial actions materially increases risk because invocation of the skill can directly spend funds without a separate approval boundary.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The function documentation says amount is auto-calculated as a percentage of balance, but the implementation ultimately ignores amount and always submits a fixed size of 5. In a trading bot, this mismatch is dangerous because operators may rely on documented risk controls that are not actually enforced, leading to unintended exposure.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script performs outbound Telegram notifications containing trading activity, which is an external data-sharing capability beyond core local monitoring/trading logic and is not clearly disclosed in the stated skill scope. Even if intended for convenience, it leaks operational and potentially sensitive trading metadata to a third-party service without user consent or configuration safeguards.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The file hardcodes Telegram integration credentials and destination identifiers directly in source code. Hardcoded outbound messaging credentials create immediate secret exposure risk, allow unauthorized reuse if the code is shared, and enable silent exfiltration of bot activity to a fixed recipient.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script sends outbound Telegram notifications even though that behavior is not disclosed in the skill description. In a trading bot context, this can leak sensitive operational data such as positions, profits, and activity timing to an external third party without informed user consent.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill documents automated betting, wallet usage, and notification setup without explicit warnings about financial loss, credential exposure, or transmission of data to third parties. In a live trading context, missing safety disclosures materially increases the chance of misuse, unsafe deployment, and accidental leakage of tokens, chat IDs, logs, or trade activity.

Missing User Warnings

High
Confidence
92% confidence
Finding
The bot proceeds from model output directly to execute_bet() without any user confirmation, interactive checkpoint, dry-run mode, or explicit arming control in this code path. In the context of real-money or wallet-backed automated trading, logic errors, model mistakes, or manipulated upstream market data can immediately trigger unintended financial transactions.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
A hardcoded Telegram bot token is used to transmit messages to Telegram's API, meaning anyone with code access can abuse the token and the script can exfiltrate trading events without transparent disclosure. In an automated trading bot context, this is especially risky because trade timing, direction, size, and prices are sensitive operational data that can reveal strategy and positions.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded Telegram bot token and chat ID embed a live secret and a fixed exfiltration destination directly in source code. This enables unauthorized use of the bot if the code is exposed and silently transmits trading activity to a recipient the user may not control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal