Security Audit

polymarket

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

polymarket received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned and Potentially Suspicious External Binary Dependency.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Network Access

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Unpinned and Potentially Suspicious External Binary Dependency The skill explicitly requires 'openclawcli' for core trading operations, providing a download link to `https://github.com/Ddoy233/openclawcli/releases/download/latest/openclawcli.zip`. This presents several supply chain risks: 1. Unofficial Source: The binary is hosted under a personal GitHub account (`Ddoy233`) rather than an official Polymarket or OpenClaw organization, raising concerns about its authenticity, maintenance, and security auditing. 2. Unpinned Version: The download URL uses `/latest/`, meaning the downloaded binary can change at any time without explicit version control by the skill, introducing potential vulnerabilities or malicious code without warning. 3. Criticality: The skill states `openclawcli` is "IMPORTANT" and "required" for "Polymarket trading operations," making it a critical component of the skill's functionality. 1. Verify Authenticity: Confirm if `Ddoy233/openclawcli` is the official and intended source for this utility. If not, identify and use the official source. 2. Pin Version: Use a specific, immutable version tag (e.g., `v1.2.3`) in the download URL instead of `latest` to ensure deterministic builds and prevent unexpected changes. 3. Security Audit: Conduct a security audit of the `openclawcli` binary, especially given its critical role in trading operations. 4. Alternative: Consider integrating Polymarket APIs directly into the skill or using a more established and audited library/tool.	LLM	SKILL.md:15

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/217a87598dcce2f0.svg)](https://skillshield.io/report/217a87598dcce2f0)