ClawHub

Polymarket API Guide

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed Polymarket API guide, but it includes live trading and private-key handling without enough guardrails for a financial tool.

Install only if you intentionally want a Polymarket skill that can be extended into live trading. Treat private keys and derived API credentials as high-value secrets: do not paste a main wallet key into shared prompts or logs, prefer a dedicated low-balance wallet or secret manager, and add explicit confirmation, dry-run defaults, order limits, and audit logging before running any order-placement code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The implementation and comments around order semantics are internally inconsistent: the method is documented as placing a FOK market order, but it also sets `expiration=0` and labels that as GTC. In a real-trading client, ambiguity around time-in-force/order behavior can lead to unintended live orders, incorrect assumptions by downstream callers, and financial loss if developers rely on the documented behavior rather than the actual SDK semantics.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This section gives actionable order-placement guidance, including authentication setup, SDK usage, limit and market order construction, and operational advice, but it does not clearly warn that actions may place real-money trades or cause financial loss. In this context, the omission is significant because the skill is not merely informational about markets; it directly teaches how to submit live orders to a trading venue.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to derive API keys from a wallet/private-key context and then set API credentials, but it provides no warning about safe secret handling, storage, or the risk of exposing private keys and derived credentials in logs, code, or shared environments. In an agent skill context, this omission can lead users or downstream agents to handle high-value secrets unsafely, increasing the chance of account compromise or unauthorized trading.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal