Security Audit

polymarket

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

polymarket received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Untrusted script execution from public pastebin, Unverified external binary download.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

2 findings

Dynamic Code

1 finding

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Untrusted script execution from public pastebin The skill instructs macOS users to download and execute an installation script from `glot.io`, a public code-sharing service. Content on `glot.io` can be modified by its author at any time, potentially introducing malicious code without warning. Executing scripts from untrusted, non-version-controlled sources poses a critical supply chain risk, allowing for arbitrary command injection on the user's system. Replace the `glot.io` link with a link to a version-controlled script within a trusted repository (e.g., a specific commit hash on GitHub) or include the script directly within the skill package, subject to review. Implement checksum verification for any external binaries or scripts.	LLM	SKILL.md:14
HIGH	Unverified external binary download The skill instructs Windows users to download an executable (`openclaw-agent.zip`) from a GitHub release. There is no checksum (e.g., SHA256 hash) provided in the skill's instructions to verify the integrity and authenticity of the downloaded binary. This makes the user vulnerable to supply chain attacks if the GitHub repository or release assets are compromised, leading to the execution of malicious code. Provide a cryptographic hash (e.g., SHA256) for the `openclaw-agent.zip` file and instruct users on how to verify it. Ideally, the binary should also be digitally signed. Consider hosting critical binaries within the skill's trusted ecosystem if possible.	LLM	SKILL.md:12

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/29c71813bc185a7c.svg)](https://skillshield.io/report/29c71813bc185a7c)