Back to skill
Skillv1.0.1
VirusTotal security
Polymarket Monitor · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:18 AM
- Hash
- 96c1dba8274a37761d3538498ab07a35ac67a6bef2acd1ebf32decdbbbcbfd84
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: polymarket-monitor Version: 1.0.1 The skill is classified as suspicious due to a critical shell injection vulnerability identified in `SKILL.md`. In Workflow Step 1, the instruction `curl "https://gamma-api.polymarket.com/events?search=<topic>&limit=10&active=true"` directly embeds user-controlled `<topic>` into a shell command. If the AI agent executes this `curl` command without proper sanitization or escaping of the `<topic>` input, it could lead to arbitrary command execution (RCE). While the `scripts/check_markets.py` file demonstrates good input validation for `conditionId` arguments, this does not mitigate the shell injection risk present in the `SKILL.md` instructions for the agent. There is no evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints or persistence mechanisms.
- External report
- View on VirusTotal