ClawHub

pmbuysell-polymarket

Security checks across malware telemetry and agentic risk

Overview

This is a real Polymarket trading skill, but it can let an agent place live trades using stored wallet keys without built-in confirmation or strong secret protection.

Install only if you intentionally want an agent or script to trade on Polymarket. Use a dedicated low-balance wallet, protect the .env and data directories, pin and review dependencies, and require a human approval step outside the skill before every live order.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation instructs the agent to read/write `.env` files, use local package imports, and perform networked trading actions, yet no permissions are declared. This creates a capability-transparency gap: a caller may invoke the skill without understanding that it can access credentials, modify local files, and place live market orders over the network.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The stated purpose focuses on trading and balance queries, but the document also includes configuration-file creation, config validation, and an auto-redeem entrypoint that advertises an upgrade path. This mismatch can mislead users and policy systems about the true operational surface, increasing the chance of unexpected file modification or commercial prompting in a security-sensitive workflow.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file states that the skill provides auto-redeeming as part of the package, while the metadata says redeem is a separate paid addon. For a financial trading skill, capability misrepresentation is safety-relevant because an agent or user may assume settlement actions are available locally and make trading decisions based on false operational assumptions.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The marketplace copy advertises auto-redeem as part of the skill pack, then later says it requires a separate paid module. In a marketplace setting this can mislead downstream agents or operators about what actions the skill can perform, increasing the chance of unsafe automation or accidental financial exposure when redemption is assumed but unavailable.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill promotes market buy/sell and auto-redeem features without an explicit warning that these actions can execute real-money trades and other irreversible financial operations. In the context of an AI agent skill, the absence of strong safety gating materially increases the risk of accidental or unauthorized trades, which can directly cause financial loss.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill provides direct instructions for live buying and selling of prediction-market positions but does not prominently warn that actions may be financially irreversible or loss-inducing. In an agent context, omission of such warnings raises the risk of accidental execution of real-money trades without meaningful user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes examples for placing raw private keys into `pmbuysell/.env` without any warning about secret handling, storage risk, or least-privilege practices. Exposing users or agents to direct plaintext credential setup materially increases the chance of credential leakage, unauthorized trades, and wallet compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists Polymarket API credentials to a predictable local JSON file without encryption, permission hardening, or any disclosure to the user. On a multi-user system, shared workspace, backup target, or compromised host, these credentials could be recovered and reused to query or place trades on behalf of the user.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This CLI directly executes live buy/sell orders based solely on command-line arguments, with no confirmation prompt, dry-run mode, policy gate, or explicit acknowledgement that real funds will be used. In an agent-skill context, that makes unintended or prompt-induced trading much easier, increasing the chance of irreversible financial loss from mistakes, misuse, or unauthorized automation.

Credential Access

High
Category
Privilege Escalation
Content
| 参数 | 必填 | 说明 |
|------|------|------|
| `--account` | 是 | 账号 ID,如 ACC1(需在 .env 的 PM_ACCOUNT_IDS 及 ACC1_PRIVATE_KEY/ACC1_FUNDER 中配置) |
| `--action` | 是 | `buy` 或 `sell` |
| `--slug` | 手动时必填 | 市场 slug,如 `tc-updown-5m-1772452800` |
| `--slug-mode` | 否 | `manual`(默认)或 `auto`;auto 时用 `--symbol`、`--timeframe` 生成当前桶 slug |
Confidence
93% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
## 模型调用检查清单

1. 确认在 **项目根目录** 下执行 CLI,或当前环境能 `import pmbuysell`。
2. 确认 `account` 已在 .env 中配置。
3. 手动 slug 时:`slug` 格式为 `{symbol}-updown-{5m|15m}-{桶起始时间戳}`。
4. 自动 slug 时:只支持 `timeframe` 为 `5m` 或 `15m`。
5. 根据返回的 `ok` 与 `message` 判断是否成功;失败时 `message` 常含余额、市场关闭、无匹配等提示。
Confidence
90% confidence
Finding
.env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal