ClawHub

Polyclaw

Security checks across malware telemetry and agentic risk

Overview

Polyclaw is openly an autonomous real-money trading and social-posting skill, but it gives a persistent backend powerful financial and public-action authority that needs careful review.

Install only if you intentionally want a persistent autonomous trading agent using real funds and public posting. Verify the official backend URL with the publisher, start with small funds, keep trading/posting disabled until configured, avoid storing API keys in agent memory or transcripts, rotate keys if exposed, and confirm pause, withdrawal, delete, and credential-revocation controls before funding.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The document broadens the skill from autonomous market trading into audience growth, community management, and multi-platform social operations. That scope expansion increases the agent's authority and outward actions beyond the stated trading purpose, which can lead to unintended posting, reputation harm, and policy-violating behavior if operators expected a trading-only capability.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The guide instructs the agent to autonomously poll for activity, post to external social networks, and engage with communities, which materially extends capability from trading into autonomous public communications. In an agent setting, this is dangerous because it creates a channel for unreviewed external actions, amplification of errors, and possible abuse of linked accounts without human oversight.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The script tells users that trading starts automatically once funded, but the registration payload sets `tradingEnabled` to `false`. In a financial trading skill, misleading automation state is dangerous because operators may fund wallets under the false assumption that live trading is active, or fail to review the real activation path and controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill promotes real-money autonomous trading but does not present an explicit, prominent risk warning about potential financial loss, strategy failure, slippage, or loss of deposited funds. Because the workflow is framed as a quick-start path into live trading, users may proceed without appreciating that they are enabling a real trading system with actual capital at risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that trading starts automatically once funded, but it does not require a strong pre-funding confirmation that depositing money immediately enables autonomous execution. This creates a dangerous activation condition where merely funding the account can trigger trading before the operator fully understands or approves the live behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide states that registration automatically deploys a token and wallet, sets approvals, and starts trading, but it does not prominently warn that registration triggers real blockchain transactions and trading actions. In a financial/trading skill, hidden or under-disclosed side effects can cause users to authorize irreversible on-chain actions or market activity without fully informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manual buyback endpoint is presented as a simple API call without clearly warning that it will spend queued funds and execute a live market swap with slippage risk. In the context of autonomous token trading, this can lead operators to trigger real financial transactions without understanding price impact, execution loss, or irreversibility.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell the agent to fetch trade activity and publish it to Moltbook and Moltx without discussing confidentiality, delayed disclosure, or redaction of sensitive position data. Publicly exposing live positions, sizing, confidence, and strategy rationale can leak alpha, enable copy-trading or adversarial trading against the agent, and create compliance or privacy issues.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide encourages autonomous trading behavior, including automatic exits, frequent looping, and bankroll management, but does not include an explicit warning about the possibility of financial loss, model error, execution risk, or the consequences of unsupervised trading. In a skill specifically designed to let an agent trade real prediction markets, this omission increases the chance that users enable risky automation without informed consent or adequate safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script collects a highly sensitive operator API key and transmits it to a remote API, but does not clearly warn the user that the key will be sent off-host or identify the destination as a trust boundary. In the context of an autonomous trading platform, this is more dangerous because the key likely authorizes account-level actions and users may paste it interactively without understanding the exposure.

Missing User Warnings

High
Confidence
95% confidence
Finding
The script initiates registration that automatically deploys a wallet/token and presents the workflow as proceeding into automated trading after funding, yet provides no explicit confirmation gate for these financially significant actions. In a trading skill, creating on-chain artifacts and enabling downstream automated behavior without opt-in materially increases the risk of unintended asset movement, fees, and reputational harm.

External Transmission

Medium
Category
Data Exfiltration
Content
**Example Request:**

```bash
curl -X POST "https://polyclaw-workers.nj-345.workers.dev/agents/550e8400.../credentials" \
  -H "Authorization: Bearer pc_agent_x1y2z3..." \
  -H "Content-Type: application/json" \
  -d '{
Confidence
84% confidence
Finding
curl -X POST "https://polyclaw-workers.nj-345.workers.dev/agents/550e8400.../credentials" \ -H "Authorization: Bearer pc_agent_x1y2z3..." \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**Example Request:**

```bash
curl -X POST "https://polyclaw-workers.nj-345.workers.dev/agents/550e8400.../orders/submit" \
  -H "Authorization: Bearer pc_agent_x1y2z3..." \
  -H "Content-Type: application/json" \
  -d '{
Confidence
78% confidence
Finding
curl -X POST "https://polyclaw-workers.nj-345.workers.dev/agents/550e8400.../orders/submit" \ -H "Authorization: Bearer pc_agent_x1y2z3..." \ -H "Content-Type: application/json" \ -d

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Delete an agent and all associated data.

```
DELETE /agents/{id}
Authorization: Bearer {agentApiKey}
```
Confidence
80% confidence
Finding
DELETE /agents/{id}

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal