ClawHub
Back to skill

Security audit

Polymarket Weather Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a real-money Polymarket trading skill with partially disclosed buy mode, but its wallet use and delegated trade execution are under-documented.

Treat this as an automated trading tool, not just a forecast scanner. Review or supply the missing `trader.py`, use `--dry-run` first, confirm which wallet/private key is exposed, and set strict external spending limits before allowing buy mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import subprocess
    cmd = ["python3", str(Path(__file__).parent / "trader.py"),
           "--buy", "--slug", slug, "--yes", "--size", str(round(size, 2)), "--confirm"]
    r = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
    out = (r.stdout + r.stderr).strip()
    ok = any(x in out.lower() for x in ["matched", "delayed", "success", "order placed"])
    return ok, out
Confidence
93% confidence
Finding
r = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises operational capabilities that include environment access, file reads, network access, and shell execution, but does not declare permissions. That creates a transparency and governance gap: users and hosting platforms cannot accurately assess the trust boundary before installation, and the undocumented shell/network combination materially increases abuse potential if the underlying code is compromised or misleading.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated behavior focuses on scanning weather-market mispricing, but the actual behavior reportedly includes placing trades, accessing wallet credentials/balances, invoking external trading logic via subprocess, and using additional undisclosed forecast logic. This mismatch is dangerous because users may grant trust to an analytics-only skill while it can perform financially sensitive actions and call secondary code paths not clearly disclosed.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as a scanner, but it can perform live trades when invoked with --buy. This capability mismatch is security-relevant because users or higher-level agents may grant it trust and credentials appropriate for analysis only, while the code can spend funds and alter account state.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The scanner reads a local Visual Crossing credentials file, which exceeds a pure forecast-analysis role and silently accesses local secrets. While the API key is used for its intended weather service, undeclared credential access increases the blast radius of the skill and weakens user expectations about what local data it may read.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill invokes an external trader.py script to execute purchases, which is materially broader than weather scanning. This indirection makes review harder because the actual sensitive behavior depends on another file and can change independently, creating hidden execution risk in a seemingly analytical tool.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code loads .env values and uses PRIVATE_KEY and WALLET_ADDRESS to connect to a trading client without a prominent warning or consent boundary. In the context of an agent skill, silent access to wallet credentials is highly sensitive because it enables balance queries and trade placement against real funds.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.