Skillv0.2.0

ClawScan security

Wangbo Polymarket Copytrading · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 11:21 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code matches its copy-trading purpose, but the package metadata and SKILL.md omit critical prerequisites (a 'polymarket' CLI, curl, and signing credentials) and the scripts can place real orders — these mismatches and the potential for financial impact make the package suspicious until prerequisites and privileges are clarified.
Guidance: Before installing or running this skill: (1) Recognize that the scripts can place real Polymarket orders when run with --execute — do not run with --execute unless you fully trust the code and environment. (2) Confirm where signing keys live (polymarket CLI, local key store, or env vars) and never expose private keys to untrusted code. (3) Require the author to update metadata/SKILL.md to declare required binaries (polymarket, curl) and the exact credential model needed, and add explicit warnings about financial risk. (4) Test with dry-run only and inspect the polymarket CLI commands that will be executed; run in an isolated environment or with empty/funding-free accounts first. (5) If you need to allow autonomous invocation, restrict permissions and review how the agent obtains confirmations before executing orders.

Review Dimensions

Purpose & Capability: concernThe skill claims to build/run Polymarket copy-trading workflows and the scripts do exactly that (fetch leaderboard data, evaluate traders, and place orders). HOWEVER the registry metadata declares no required binaries or credentials even though the code invokes 'curl' and a 'polymarket' CLI (polymarket markets get, polymarket clob market-order). The absence of those requirements in metadata is an incoherence: either the skill owner omitted required prerequisites, or the skill expects the agent environment to already hold signing keys/configs (a sensitive implicit dependency).
Instruction Scope: concernSKILL.md instructs running the included scripts and describes dry-run vs execute flags, but it does not mention the need for the polymarket CLI, curl, or where signing credentials come from. The runtime instructions allow running the scripts with --execute which will call an external CLI to place market orders — a high-impact action. The instructions do not warn about or require explicit confirmation of privileged signing credentials or funding, nor do they document which endpoints/CLIs will be used to sign and send orders.
Install Mechanism: noteThere is no install spec (instruction-only plus included scripts), so nothing is downloaded at install time — this is lower risk for code injection. However, runtime requires external binaries (curl and the polymarket CLI). The absence of an install step or documentation for obtaining the polymarket CLI is a usability/security gap: users may unknowingly run code that depends on preinstalled tools which can access local keys.
Credentials: concernRegistry metadata lists no required environment variables or credentials, but the auto-copy config includes wallet addresses and the code calls a CLI that likely uses local signing keys or environment-based credentials. The scripts can perform signed market orders when invoked with --execute, which implies access to private keys or signing infrastructure; the skill does not declare, justify, or constrain access to those secrets. That mismatch is disproportionate for the published metadata and hides a sensitive requirement.
Persistence & Privilege: okThe skill is not always:true and does not request persistent/automatic inclusion. It does allow autonomous model invocation by default (normal), but there is no evidence the skill modifies other skills or system-wide agent settings. The main privilege concern is operational (placing real orders) rather than persistent installation.