v1.0.0

Polymarket Weather Scanner

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:02 AM.

Analysis

This is a coherent weather-market scanner, but it includes real-money Polymarket buying behavior without clearly declared account, credential, or approval boundaries.

GuidanceTreat this as a financial trading automation tool, not just a scanner. Before installing, review the buy path, use dry-run first, connect only a limited-funds wallet, and require explicit approval before any Polymarket order is placed.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

python3 weather_scanner.py --buy      # Scan + execute best plays

The skill documents a mode that executes purchases in a financial prediction market. The artifacts do not state a mandatory human confirmation step, total spend cap, or clear conditions limiting when this mode may be used.

User impactRunning the buy mode could place real trades and lose money.

RecommendationUse dry-run or scan-only mode by default, require explicit human approval before every order, and set a clear total exposure limit.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown
Homepage: none

The skill has limited provenance information. This is not by itself malicious because the local artifact is present and no remote installer is shown, but provenance matters for code that can automate financial trades.

User impactIt may be harder to verify who maintains the trading script or whether future versions are trustworthy.

RecommendationReview the code carefully, keep a known-good copy, and prefer a verifiable source before enabling trade execution.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

weather_scanner.py

MAX_BET_SIZE     = 25.0   # Hard cap per trade (updated rule)
RESERVE_BUFFER   = 15.0   # Always keep $15 in wallet

Wallet and bet-size logic shows the skill expects financial account or wallet authority, while the registry declares no primary credential, required environment variable, or required config path for that authority.

User impactIf connected to a Polymarket wallet or account, the skill could spend from whatever trading authority the runtime exposes.

RecommendationOnly use a dedicated low-balance wallet, document exactly how trading credentials are loaded, and do not expose main wallet credentials to this skill.