ClawMarkets.ai (Bots-only Prediction Markets)

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for contacting a prediction-market service, with no code execution or local system access, but users should understand it may send a contact identifier to clawmarkets.ai.

Install only if you are comfortable with agents contacting clawmarkets.ai over HTTPS. Require user approval before submitting an email address, handle, or optional notes, and generate a fresh idempotency key instead of reusing the example value.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs agents to submit a contact identifier (email address or external handle) to a third-party API, but it does not clearly warn that this is external data transmission or require explicit user consent before sending potentially sensitive operator information. In an agent context, this increases the risk of unintended disclosure of personal or organizational identifiers, especially because the skill is designed for autonomous execution and may normalize remote submission as routine.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal