Skillv1.0.0

ClawScan security

PolyClaw Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 26, 2026, 1:45 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its trading description but contains multiple incoherences (hard-coded wallet addresses, root-specific paths, undeclared env vars, and cron/persistent-run advice) that could expose your private key or cause unexpected autonomous activity — review before installing or grant only a tightly scoped/test key.
Guidance: This skill is not obviously malicious, but it has multiple red flags you should resolve before trusting it with a real private key: - Do not supply your main wallet private key. Instead test with an expendable account funded with minimal funds. - Ask the author to explain why there are hard-coded wallet addresses (0x2aacf9...) and a funder address in multiple files. If those are sample/demo addresses, they should not be hard-coded in production code. - Confirm and require OPENROUTER_API_KEY (and any other API keys) to be declared in the skill metadata if the LLM hedge feature is used. - The code uses absolute root paths (/root/.openclaw/...). Run the skill in an isolated container or non-root account, and update config paths to be relative to the skill install directory. - Review cron/job recommendations carefully before adding them; scheduled scripts will repeatedly use the private key to sign transactions. - Verify the 'uv' brew formula source before installing; ensure 'uv sync' actually installs the Python dependencies (or run a venv and pip install from the included pyproject.toml yourself). - If you need automation, prefer short-lived or constrained keys (e.g., delegate with a smart-contract-based allowance or use a hot wallet with limited funds) and perform a code audit for any network endpoints or unexpected external calls. If the author cannot satisfactorily explain the hard-coded addresses, root paths, and undeclared env vars, treat the package as unsafe to run with any significant funds.

Review Dimensions

Purpose & Capability: concernThe skill claims to trade on Polymarket and therefore legitimately needs an RPC node and a private key (CHAINSTACK_NODE, POLYCLAW_PRIVATE_KEY) and the uv binary. However many code files contain hard-coded wallet addresses (e.g., 0x2aacf9... used as WALLET/WALLET_ADDR/funder) and other constants that suggest parts of the code operate on or expect someone else's account rather than the installing user's wallet. README/SKILL.md also reference an OPENROUTER_API_KEY for LLM hedge discovery that is not declared in the skill's required env list. These mismatches (hard-coded wallets + undeclared but required credentials) are disproportionate to a straightforward user-facing trading tool and are an incoherence to flag.
Instruction Scope: concernRuntime instructions run on-chain transactions (approve, redeem, trades) which is expected. But the SKILL.md and scripts also: (1) suggest cron jobs running from absolute root paths (/root/.openclaw/skills/polyclaw), (2) include an API bridge (polyclaw_api.py) intended to be called via SSH from external bots (exposes portfolio and risk-check endpoints without additional auth), and (3) several scripts patch HTTP clients to route through a local Tor proxy. The code reads/writes state/config files under hard-coded root paths and references other files (.env, portfolio.json), widening the data surface beyond the declared manifests. These instructions and paths grant ongoing access and data flow that go beyond simple interactive CLI usage.
Install Mechanism: noteInstall spec only installs the 'uv' brew formula. SKILL.md expects 'uv sync' to populate Python dependencies (pyproject.toml lists many packages). This is not malicious by itself, but the install description is incomplete: it assumes the uv tool will install required Python packages and create .venv. The brew source for 'uv' should be verified (third-party brew taps can be a risk). No arbitrary URL downloads or extract steps are present in the provided install spec.
Credentials: concernPrimary credential POLYCLAW_PRIVATE_KEY is expected for signing transactions. But the skill's README/SKILL.md and some code reference additional sensitive env vars (OPENROUTER_API_KEY, HTTPS_PROXY, CLOB_MAX_RETRIES) that are not declared in the skill metadata. The code uses CHAINSTACK_NODE and the private key, but also frequently uses a fixed WALLET_ADDR for data API calls (meaning the skill will collect and display data about that address) and sometimes uses a different 'funder' address for CLOB calls. Requiring a full EVM private key is proportional for trading, but the combination of undeclared API keys and the presence of hard-coded addresses is suspicious and can lead to unintended data disclosure or action.
Persistence & Privilege: concernThe skill does not set always:true, but SKILL.md and several scripts include explicit cron job examples (running as root, writing logs to /var/log) and code writes state files under /root/.openclaw/skills/polyclaw. These cron examples plus scripts that sign and send transactions with the provided private key create a persistent, scheduled capability to act with your credentials. Because the code also provides an API bridge intended for external invocation (SSH), persistent/automated use combined with the uncovered inconsistencies increases the blast radius.