ClawHub

Polymarket Temperature Event Follower

Security checks across malware telemetry and agentic risk

Overview

This is a real automated Polymarket trading skill, but it handles wallet keys, can place real orders, and exposes trading credentials in ways users should review carefully before installing.

Install only if you intentionally want an automated real-money Polymarket bot. Use a dedicated low-balance wallet, run dry-run first, avoid shared or logged terminals when deriving credentials, protect .env/state/cache files, review the SkillPay billing flow, and do not enable --live unless you accept automatic order and billing risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill documentation describes capabilities that access environment variables, read/write local files, and perform network operations, but it declares no permissions. That creates a transparency and consent problem: users may run a skill with broader effective access than expected, including handling wallet keys, modifying state files, and contacting external billing/trading endpoints.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond a simple trading bot and includes sensitive credential derivation/display and external billing actions via SkillPay. Hidden or under-disclosed behaviors are dangerous in a financial skill because they can expose secrets, trigger charges, or cause users to trust the tool under incomplete assumptions.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The background documentation describes a 10:00-14:00 execution window with a 10:00-10:04 fallback, which materially conflicts with the skill metadata claiming 9-10 AM local execution. For an automated trading skill, inconsistent timing guidance can cause operators, reviewers, or downstream agents to run the strategy outside its declared behavior, undermining trust, auditability, and risk controls.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The document frames the strategy around temperatures peaking at 14:00-15:00 while the manifest says purchases occur during a 9-10 AM local morning window. This inconsistency can mislead users about when the model derives edge and when trades are supposed to occur, creating operational and financial risk in a time-sensitive automated trading system.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The documentation describes materially broader automated trading behavior than the skill metadata promises, including expanded windows and additional market targets. In a financial automation context, this is dangerous because users may consent to a limited strategy but actually deploy a skill capable of making more trades, at different times, and with greater financial exposure than expected.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The file hard-codes a developer SkillPay API key and adds billing, balance checks, and payment-link generation that are unrelated to the core trading function. This creates an unnecessary external payment capability and gives the skill author remote charging influence over users, which is especially dangerous in an automated trading bot that already handles sensitive wallet credentials.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file hardcodes a developer SkillPay billing API key and uses it to charge balances, query balances, and create payment links. Embedding a live billing credential in distributable code exposes a sensitive secret to any user of the skill and enables unauthorized use of the developer's billing account or abuse of linked payment operations.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill goes beyond market trading and can query billing balances and generate external payment links for arbitrary user IDs using the embedded billing key. That expands the trust boundary into payment-account management and can be abused for account enumeration, unauthorized billing operations, or phishing/social engineering via generated payment URLs.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The docstring states L2 credentials are only kept in memory, but the code later prints them for manual persistence into .env, which materially changes the exposure model. Misleading security documentation can cause operators to underestimate secret-handling risk and accidentally leak API credentials through terminals, logs, shell history, or screenshots.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill guides users toward live automated trading without prominently warning about real-money loss before the live-run command. In a wallet-connected trading context, insufficient warning materially increases the chance of accidental financial harm, especially when users are also asked to configure private keys and billing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs users to place highly sensitive secrets such as API keys and a blockchain private key in environment variables without prominent security warnings or safe-handling guidance. In this skill's context, exposure of these credentials could directly enable wallet compromise, unauthorized trading, billing abuse, and irreversible financial loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Recommending automatic opening of payment URLs for top-up without clear confirmation and financial-risk warnings can facilitate unintended spending or social-engineering style misuse. Because this skill performs billing-linked trading, any automation around payment initiation increases the chance of unauthorized or accidental monetary actions.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The credential derivation path prints newly generated API key, secret, and passphrase directly to stdout. Console output is often logged by terminals, shells, CI systems, remote runners, or agent platforms, so this can leak trading credentials to unintended parties and enable unauthorized account access.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code prints derived Polymarket API key, secret, and passphrase directly to the console. These are sensitive trading credentials, and exposing them via stdout makes them vulnerable to terminal logging, CI logs, remote session capture, shell scrollback, and shoulder-surfing, enabling unauthorized trading or account access.

Missing User Warnings

High
Confidence
95% confidence
Finding
Using --live switches the bot into real order submission without an explicit confirmation checkpoint summarizing wallet, market scope, and financial consequences. In an automated trading context, accidental invocation can immediately create irreversible financial exposure and trigger real billing charges.

Credential Access

High
Category
Privilege Escalation
Content
pip install -r requirements.txt

# 3. 复制环境变量模板
copy .env.example .env
# 然后编辑 .env 文件,填入你的密钥(见第4节)

# 4. 测试运行(模拟模式,不花钱)
Confidence
90% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# 3. 复制环境变量模板
copy .env.example .env
# 然后编辑 .env 文件,填入你的密钥(见第4节)

# 4. 测试运行(模拟模式,不花钱)
python sniper.py --dry-run --once
Confidence
90% confidence
Finding
.env

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal