ClawHub

Polymarket AutoTrader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket auto-trading skill, but it can run unattended with wallet credentials, place repeated live trades, and charge billing each cycle without strong built-in controls.

Install only if you deliberately want an unattended real-money trading bot. Use a dedicated low-balance wallet, set DRY_RUN=true first, keep MAX_TRADE_USDC small, monitor SkillPay charges, pin dependencies before running, and make sure you know how to stop the scheduler or pm2 service before enabling live trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares access to sensitive environment variables and clearly requires outbound network communication, yet it does not declare explicit permissions for those capabilities. That creates a transparency and consent gap: users may authorize or run a trading skill without clear notice that it can access private keys and communicate with external services, increasing the risk of accidental secret exposure or unauthorized remote interactions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as an auto-trader, but it also performs recurring billing through an external SkillPay service and may generate payment/top-up flows that are not central to the stated trading function. This mismatch is dangerous because users may provide trading credentials and run the skill without understanding that each cycle can trigger financial charges and interactions with a separate third-party payment system.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements user balance checks, charging, and payment-link generation through an external billing service even though the skill is described as a Polymarket auto-trader, not a paid billing product. That mismatch is dangerous because it introduces monetization and fund-handling behavior users and reviewers would not reasonably expect, creating risk of unauthorized charges or deceptive paywalling inside a trading-related skill.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code loads an API key for an external payment provider that is not justified by the stated trading functionality of the skill. Even if the secret is not directly exposed here, introducing privileged billing credentials expands the attack surface and enables financially sensitive operations that are out of scope for the advertised purpose.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The skill automatically charges a user and, on failure, generates a payment link as part of execution even though the stated purpose is market trading. In an agent context, this creates an undisclosed financial side effect that could trigger unintended charges or steer users to payment flows without clear informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The network calls send user identifiers to a third-party billing API and may initiate charges without any visible user disclosure, consent flow, or notice in the code. In the context of a trading skill, hidden transmission of identifiers and silent monetization are especially problematic because they can surprise users and create privacy and financial harm.

Missing User Warnings

High
Confidence
95% confidence
Finding
The code starts automated trading immediately and repeats it on a timer, placing live orders whenever DRY_RUN is false, with no interactive confirmation, kill switch, or per-trade approval. In a financial trading skill handling real wallet credentials, this can rapidly cause unintended asset purchases or sales and compound losses over time.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal