ClawHub
Back to skill
v1.0.12

Polyvision

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:29 AM.

Analysis

PolyVision is a disclosed read-only Polymarket wallet analysis integration, but users should understand it sends wallet queries to an external MCP/API service using a PolyVision API key.

GuidanceThis skill appears coherent and read-only: it analyzes public Polymarket wallet activity and does not request trading or account-mutation authority. Before installing, make sure you trust PolyVision's hosted MCP/API service, keep the POLYVISION_API_KEY secret, and treat copy-trading scores or 'hot bets' as research signals rather than guaranteed financial advice.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
metadata
Source: unknown; No install spec — this is an instruction-only skill.

The artifacts contain no local code or install package to inspect; the skill's functionality depends on the disclosed external PolyVision MCP/API service.

User impactThere is no local helper code to install, but users are relying on the external service's implementation and availability.
RecommendationPrefer installing only if you trust the PolyVision service and its published documentation; avoid granting broader credentials than the documented POLYVISION_API_KEY.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
"Authorization": "Bearer ${POLYVISION_API_KEY}"

The skill requires a PolyVision API key and sends it as a bearer token to the PolyVision MCP service. This is expected for the stated hosted analysis service, but it is still a credential boundary users should protect.

User impactAnyone with the API key could potentially use the user's PolyVision API access, and the PolyVision service can associate queries with that key.
RecommendationStore the API key securely, do not paste it into chats or shared files, and rotate it if it is exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
"type": "streamable-http", "url": "https://api.polyvisionx.com/mcp"

The integration is a remote MCP service. Wallet addresses and analysis requests are sent outside the user's local agent to PolyVision's hosted endpoint, which is disclosed and purpose-aligned.

User impactThe external service will receive the wallet addresses or leaderboard queries the user asks to analyze.
RecommendationUse it only for wallet-analysis queries you are comfortable sending to PolyVision, and review the provider's privacy and API documentation if query confidentiality matters.