Skillv1.0.0

ClawScan security

polymarket-pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 7:35 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (driving the Polymarket CLI) but contains notable inconsistencies and risky instructions — in particular an undeclared private-key requirement and an install method that pipes code from the web into a shell.
Guidance: This skill appears to be a wrapper for the Polymarket CLI and will ask you to provide a wallet private key to place trades. Before installing or running it: 1) Verify the upstream project: inspect the GitHub repo and the install script (do not run curl|sh blindly). 2) Prefer read-only operations first (market/list, order-book) and avoid supplying your private key until you audit the CLI. 3) If you must trade, consider using a hardware wallet or an account with limited funds; avoid storing your main private key in plaintext env vars or in ~/.config files. 4) Be cautious about running the provided curl | sh installer — pull the repo and review the script locally, or install from an audited package. 5) Note the SKILL metadata does not declare the private-key env var; treat that as a red flag and require the skill owner to clarify required credentials and their handling. If you plan to allow autonomous agent execution, do not provide any private key to the environment — autonomous invocation plus secret access would greatly increase risk.

Review Dimensions

Purpose & Capability: noteThe name/description (Polymarket CLI operations) match the runtime instructions: market browsing, CLOB trading, and on-chain data are all implemented as CLI commands. However, the registry metadata lists no required env vars or credentials while the SKILL.md explicitly documents three ways to supply a private key (CLI flag, POLYMARKET_PRIVATE_KEY env var, or config file). That metadata/instruction mismatch is inconsistent.
Instruction Scope: concernSKILL.md instructs the agent/user to create or provide private keys, read/write ~/.config/polymarket/config.json, and run on-chain approval transactions (which will spend gas). It also includes a curl | sh installer which runs remote code locally. The instructions do not attempt to limit or warn about storing sensitive keys in plaintext; they allow methods (env var, config file, CLI flag) that can expose secrets. These behaviors broaden the scope beyond simple read-only market queries.
Install Mechanism: concernNo formal install spec in registry (instruction-only), but SKILL.md recommends two installs: a brew tap pointing at a GitHub repo (reasonable) and a 'curl -sSL https://raw.githubusercontent.com/Polymarket/polymarket-cli/main/install.sh | sh' pattern. Curl|sh from a raw GitHub URL is higher risk because it executes remote script without review; it will write code to disk and may run arbitrary commands. This is proportionate to installing a CLI but still risky and should be audited before use.
Credentials: concernTrading requires a private key/wallet, and SKILL.md documents POLYMARKET_PRIVATE_KEY, config file, and CLI flag options. Yet the registry metadata declares no required env vars or primary credential. The skill therefore fails to declare a clearly sensitive dependency. Requiring a private key is reasonable for a trading CLI, but it must be declared and the user should be warned about safe key-handling (hardware wallets, avoid plaintext env vars).
Persistence & Privilege: okThe skill is instruction-only, has no install package in the registry, does not request 'always: true', and does not claim to modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default), which is normal, but see other concerns about keys and curl|sh.