Storyclaw Polymarket Trading

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading bot, but it stores wallet secrets locally and can run persistent automated real-money trades with weak runtime safeguards.

Review before installing. Use only a dedicated low-balance wallet, keep dry_run enabled until you intentionally accept live-trading risk, inspect any crontab entries before adding them, avoid untrusted or path-like USER_ID values, and assume the local credentials JSON can spend from the configured wallet if the host is compromised.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Tainted flow: 'cred_path' from os.environ.get (line 62, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: def save_config(user_id, config): cred_path = os.path.join(CREDENTIALS_DIR, f"{user_id}.json") with open(cred_path, "w") as f: json.dump(config, f, indent=2) os.chmod(cred_path, 0o600) print(f"✅ Config saved to {cred_path}")
Confidence: 95% confidence
Finding: with open(cred_path, "w") as f:

Tainted flow: 'user_id' from input (line 812, user input) → open (file write)

Medium

Category: Data Flow
Content: def save_state(user_id, state): with open(get_state_path(user_id), "w") as f: json.dump(state, f, indent=2)
Confidence: 93% confidence
Finding: with open(get_state_path(user_id), "w") as f:

Tainted flow: 'perf_path' from os.environ.get (line 690, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: "win_rate": round(wins / total, 4) if total > 0 else 0.0, } with open(perf_path, "w") as f: json.dump(perf, f, indent=2) print(f"\n📊 Settlement complete: {len(newly_settled)} settled, {len(still_pending)} still pending")
Confidence: 94% confidence
Finding: with open(perf_path, "w") as f:

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The documentation directs the agent to install cron jobs, which creates persistent autonomous execution on the host. Even if related to trading, persistence is materially more sensitive than merely running a bot on demand because it enables recurring unattended actions, log writes, and continued use of user credentials over time.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The skill states that strategies and crons must never be created without explicit user confirmation, but later provides direct operational instructions to install crons. This inconsistency is dangerous because agents may follow the procedural commands and bypass the safety gate, leading to unauthorized persistent automation.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The code includes a direct 'activate-live' path that flips a strategy from pending_live to live trading, which exceeds the described behavior of only asking the user whether to switch. In an agentic trading context, this creates a dangerous capability boundary violation: if the command is exposed through the agent or automation layer, funds could be put at risk without a robust explicit confirmation flow.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This cron worker can place live trades automatically when dry_run is false and auto_trade is enabled in the strategy file, without any approval gate in this script at execution time. In the context of a self-evolving trading bot, that is materially dangerous because a modified state file, bad strategy, or parser error can directly trigger financial actions on a schedule.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The interactive setup asks users to paste a wallet private key and then persists it locally, yet it does not prominently warn about the sensitivity of the secret, the danger of hot-wallet storage, or safer alternatives. In the context of a live trading bot handling real funds, normalizing plaintext private-key entry and storage materially increases the chance of wallet compromise through filesystem exposure, backups, logs, or multi-user host access.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Once `dry_run` is disabled, `cmd_trade` can submit real orders immediately with no final confirmation, no display of estimated cost/slippage, and no explicit acknowledgment that real funds are at risk. In a trading skill, that missing execution guard is more dangerous than in ordinary utilities because accidental invocation, automation mistakes, or misleading upstream prompts can directly trigger irreversible financial loss.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The cron worker can execute live trades automatically when a strategy status is set to 'live', without any just-in-time confirmation, interactive approval, or explicit safeguard at the execution point. In a self-evolving trading bot context, this is dangerous because a bad strategy change, compromised config, or logic error can immediately cause unauthorized financial transactions and loss of funds.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal