ClawHub

Polymarket Multi Source Estimator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed prediction-market trading bot, but it deserves review because it can be configured for repeated automated financial trading without strong safety limits or per-trade approval.

Install only if you intentionally want an advanced automated prediction-market estimator. Keep it in dry-run or simulated venue mode until you have reviewed the source, pinned or reviewed dependencies, set strict trade size and venue limits, and confirmed the LLM endpoint is trusted. Do not enable live trading unless you accept the risk of repeated automated financial decisions and possible loss.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Tainted flow: 'api_url' from os.environ.get (line 931, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
try:
        _llm_calls_this_cycle += 1
        resp = requests.post(
            api_url,
            headers={"Authorization": f"Bearer {api_key}",
                     "Content-Type": "application/json",
Confidence
96% confidence
Finding
resp = requests.post( api_url, headers={"Authorization": f"Bearer {api_key}", "Content-Type": "application/json", "HTTP-Refere

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly relies on environment variables and extensive outbound network access to many third-party APIs, yet the metadata does not declare permissions or capabilities. This creates a transparency and policy-enforcement gap: operators may underestimate what the automaton can access, and a runtime that depends on declared permissions cannot properly constrain the skill.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
When run with --live, the script proceeds to place trades without a final explicit confirmation prompt or a prominent just-in-time warning. In an agent/automation context handling real funds or positions, this increases the risk of unintended financial actions from misconfiguration, prompt-induced decisions, or operator error.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Scheduling

Runs every 5 minutes via cron (`*/5 * * * *`). Managed automaton (auto-executes on schedule).
Capped at 50 LLM calls per run (`LLM_MAX_CALLS`) to control costs.

## Security
Confidence
88% confidence
Finding
auto-execute

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal