ClawHub

Polymarket Bots by

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent and aligned with operating Dawn prediction-market strategies, but it gives agents real-money trading and account-operation workflows without explicit safety gates.

Install only if you intend to let an agent operate Dawn for prediction-market strategies. Use paper mode by default, and require explicit approval before login, funding, approving all rules, uploading strategy code, or launching any live run; confirm budget, duration, account, monitoring plan, and stop status.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports funding accounts and launching live strategies, but it does not require an explicit user confirmation or present a clear real-money risk warning before those steps. In an agent setting, that omission increases the chance of unintended financial actions, especially because the workflow normalizes moving from creation to live launch as a standard path.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The authentication instructions tell the agent to run `dawn auth login` without warning that the login flow may send account identifiers, tokens, browser-based callback data, or other environment-linked information to an external service. In a skill designed for autonomous operations, missing that disclosure can cause users to authorize external access without understanding the privacy and account-linking implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal