ClawHub

庄家异动探测器

Security checks across malware telemetry and agentic risk

Overview

This paid Polymarket data skill is not clearly malicious, but it embeds a payment-service secret and overstates what the code appears to deliver.

Review before installing. The skill does not show destructive behavior or local data theft, but avoid deploying it until the hardcoded SkillPay key is removed or rotated, the payment account ownership is clarified, SkillPay hosts are pinned or allowlisted, and the description accurately states that the output is public Polymarket price-mover data rather than broader whale intelligence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tainted flow: 'url' from os.getenv (line 231, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"title": "OpenClaw Skill Payment",
        "description": "Polymarket Movers x3",
    }
    r = requests.post(url, json=body, headers=headers, timeout=20)
    if r.status_code not in (200, 201):
        raise HTTPException(status_code=502, detail="SkillPay create charge failed")
    data = r.json()
Confidence
96% confidence
Finding
r = requests.post(url, json=body, headers=headers, timeout=20)

Tainted flow: 'url' from os.getenv (line 231, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
raise HTTPException(status_code=400, detail="Missing SKILLPAY_API_KEY")
    url = f"{SKILLPAY_API_BASE.rstrip('/')}/v1/charges/{charge_id}"
    headers = {"Authorization": f"Bearer {SKILLPAY_API_KEY}"}
    r = requests.get(url, headers=headers, timeout=20)
    if r.status_code != 200:
        raise HTTPException(status_code=502, detail="SkillPay status query failed")
    data = r.json()
Confidence
96% confidence
Finding
r = requests.get(url, headers=headers, timeout=20)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill primarily retrieves public market data, yet it embeds payment-processing logic and blocks access until a third-party payment is completed. That expands the attack surface significantly by introducing sensitive financial workflows, third-party data sharing, and secret handling into a simple data-retrieval service.

Missing User Warnings

High
Confidence
99% confidence
Finding
A live-looking payment-service API key is hardcoded directly in source code, making it trivially recoverable by anyone with code access and potentially usable to create, inspect, or manipulate payment objects. In this skill, the risk is amplified because the same credential is sent in outbound requests and can also be exfiltrated via the configurable payment API base URL.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code transmits payment identifiers and status queries to a third-party processor without any evident user-facing disclosure or consent flow. While not necessarily exploitative on its own, this is a real privacy and trust issue because users may not realize their payment metadata is being shared externally to access simple market data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal