ClawHub

Strategic Paper Trader on Polymarket

Security checks across malware telemetry and agentic risk

Overview

This paper-trading skill is disclosed, but it can automatically place trades and alter or reset cloud workspace state without enough user-control safeguards.

Install only if you want an agent to actively manage a PredictScope paper-trading workspace. Use a dedicated workspace, explicitly set the workspace ID, keep safety rules enabled, protect the API key, and require confirmation before trades, resets, workspace deletion, strategy changes, or disabling order rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill exposes destructive actions like disable, delete, and reset workspace in the tools reference without consistently requiring explicit user confirmation at the point of use. In an agent setting, documenting powerful write actions without a hard confirmation policy increases the chance of accidental or prompt-injected data loss or account disruption, even if the environment is only paper trading.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to trade automatically on first session and says not to ask the user what to do, which normalizes autonomous write actions without an upfront consent gate. Even though trades are paper-only, these actions still alter user workspace state, can create unwanted positions/orders, and make prompt-injection or misaligned autonomous behavior more dangerous.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal