Skillv0.1.5

ClawScan security

Polymarket CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 3:26 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (a Polymarket CLI helper) matches its instructions, but the runtime instructions ask the agent to execute a remote install script and to read/use private keys/config files even though no credentials or config paths are declared — this mismatch and the recommended curl | sh install are concerning.
Guidance: This skill is coherent with being a Polymarket CLI helper, but it raises red flags you should address before installing or letting an agent run it: - Do not blindly run curl | sh from raw.githubusercontent.com; inspect the install.sh contents yourself or prefer Homebrew/git+cargo builds from the upstream repo. - The skill metadata declares no credentials, yet the tool needs wallet private keys and can manage API keys and perform on-chain writes. Treat any request for a private key as high-risk: never paste your primary/private key into an agent. Prefer read-only queries or use an ephemeral/test wallet with minimal funds for any automated actions. - Confirm the upstream repository and release artifacts (GitHub repo, tags/releases) and verify checksums/signatures where possible. - Require explicit, per-action user confirmation for any write operation (orders, approvals, wallet reset, bridge deposit, API-key creation/deletion). Consider providing only read-only functionality to the agent if you cannot fully vet the install and code. - If you need this skill, ask the publisher for a homepage/repo release URL and a reproducible install method (signed release or package) and add required env/config declarations (POLYMARKET_PRIVATE_KEY, config path) so permissions are explicit. If you want, I can: (1) fetch and show the contents of the recommended install.sh for review (do not execute it), (2) produce a safe checklist to install the CLI manually, or (3) rewrite the skill instructions to avoid piping remote scripts and to explicitly demand user confirmation before any secret/transactional action.

Review Dimensions

Purpose & Capability: noteThe name/description (Polymarket CLI) matches the SKILL.md: it documents many read and write CLI operations for Polymarket. However, many of those operations legitimately require signing credentials (private keys) and access to local config, but the skill's metadata declares no required environment variables or config paths — an omission that makes the declared purpose incomplete in the metadata.
Instruction Scope: concernSKILL.md explicitly instructs running commands that can expose or use secrets (wallet show, approve set, create-order, bridge deposit, create-api-key) and references private-key handling. It also recommends installing via piping a remote install script to sh. The instructions reference a config path (~/.config/polymarket/config.json) and an env var (POLYMARKET_PRIVATE_KEY) even though the skill metadata lists none — the agent could be instructed to read those secrets or to accept a --private-key value, so the runtime scope reaches beyond what's declared.
Install Mechanism: concernThere is no formal install spec, but the runtime doc encourages: curl -sSL https://raw.githubusercontent.com/Polymarket/polymarket-cli/main/install.sh | sh. Piping an arbitrary remote script to sh is high-risk. Alternatives (Homebrew, git + cargo) are more transparent, but the primary suggested one-liner is a risky pattern and should be reviewed before execution.
Credentials: concernThe metadata lists no required env vars, yet the docs mention --private-key, POLYMARKET_PRIVATE_KEY, and a local config file as canonical private-key sources. The skill will operate on sensitive assets (wallet keys, approvals, on-chain txs) and manage API keys; those require explicit declaration and user consent. This mismatch increases risk of accidental secret exposure.
Persistence & Privilege: notealways:false (no forced persistence) and default autonomous invocation are fine. The skill can perform write operations (including wallet reset and key/API-key management) if run — but there is no indication it alters other skills or requests permanent system privileges. Still, combine this with the install/script and secret-handling concerns.