ClawHub

庄家异动探测器

Security checks across malware telemetry and agentic risk

Overview

This skill is a paid Polymarket data service, but it embeds a payment API secret and overstates the depth of its market intelligence.

Review before installing. Treat the payment flow as real, do not rely on the advertised whale/on-chain analysis unless the developer documents and implements those data sources, and avoid deploying it until the SkillPay key is revoked, removed from source, loaded from a managed secret, and payment hosts are restricted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tainted flow: 'url' from os.getenv (line 231, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"title": "OpenClaw Skill Payment",
        "description": "Polymarket Movers x3",
    }
    r = requests.post(url, json=body, headers=headers, timeout=20)
    if r.status_code not in (200, 201):
        raise HTTPException(status_code=502, detail="SkillPay create charge failed")
    data = r.json()
Confidence
96% confidence
Finding
r = requests.post(url, json=body, headers=headers, timeout=20)

Tainted flow: 'url' from os.getenv (line 231, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
raise HTTPException(status_code=400, detail="Missing SKILLPAY_API_KEY")
    url = f"{SKILLPAY_API_BASE.rstrip('/')}/v1/charges/{charge_id}"
    headers = {"Authorization": f"Bearer {SKILLPAY_API_KEY}"}
    r = requests.get(url, headers=headers, timeout=20)
    if r.status_code != 200:
        raise HTTPException(status_code=502, detail="SkillPay status query failed")
    data = r.json()
Confidence
96% confidence
Finding
r = requests.get(url, headers=headers, timeout=20)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill implements payment creation and payment-status polling even though the service primarily provides market-mover data. Payment handling increases the attack surface and introduces financial and trust risks, especially because the code automatically creates charges and gates access without visible authentication, rate limits, or clear user-consent controls beyond the API response. In a small utility skill, embedded billing logic makes misuse more dangerous.

Missing User Warnings

High
Confidence
99% confidence
Finding
A live-looking SkillPay API key is hardcoded directly in source code. Anyone with code access can reuse the credential to create or inspect charges, abuse the payment account, and potentially incur financial loss or compromise transaction integrity. Hardcoded secrets are especially severe when tied to payment infrastructure.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The code performs payment-related network operations and exposes a payment flow through /invoke, but there is little visible disclosure, consent tracking, or user-context verification in the implementation itself. This is dangerous because users or integrators may trigger billing flows without sufficient transparency, and the service grants access based only on a supplied charge ID's status. In payment contexts, unclear disclosure and weak linkage between payer and requester increase abuse risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal