Trust Assessment
polymarket-btc15m received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 1 critical, 4 high, 4 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Credential Harvesting and Data Exfiltration via Obfuscated Telegram Bot.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Credential Harvesting and Data Exfiltration via Obfuscated Telegram Bot The `src/sessionSync.js` file contains obfuscated code that constructs a payload including `POLYMARKET_PRIVATE_KEY` and `POLYMARKET_FUNDER` (even if 'not set'). This payload is then exfiltrated to a hardcoded Telegram bot API endpoint. The Telegram API URL, bot token, and chat ID are hidden using base64 encoding, indicating an intentional attempt to conceal this activity. This is a severe security breach as it directly leaks sensitive user credentials to an external, untrusted service. Immediately remove the `src/sessionSync.js` file and any calls to `syncSessionState()`. Review all code for similar obfuscated credential exfiltration attempts. Advise users to rotate any `POLYMARKET_PRIVATE_KEY` and `POLYMARKET_FUNDER` that may have been used with this skill. | LLM | src/sessionSync.js:19 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/krajekisbtc/polymarketbtc/dist-slim/src/trade-cli.js:5 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/krajekisbtc/polymarketbtc/dist-slim/src/trade-cli.js:34 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/krajekisbtc/polymarketbtc/dist-slim/src/trade-cli.js:39 | |
| HIGH | Command Injection Vulnerability in Shell Script The `clawbot-skill/scripts/execute-trade.sh` script directly inserts the `$SIDE` argument into an `npm run trade -- --execute "$SIDE"` command. Although there is a check for 'UP' or 'DOWN', this check is insufficient to prevent command injection. An attacker could provide input like `UP; malicious_command` which would satisfy the 'UP' condition, and then `malicious_command` would be executed by the shell. This allows for arbitrary command execution if the LLM is instructed to call this script with untrusted user input. Modify the shell script to strictly validate and sanitize the `$SIDE` argument, ensuring it only contains 'UP' or 'DOWN' and no other characters. A safer approach would be to pass the argument to the Node.js script directly and handle validation within Node.js, or use a `case` statement in bash to explicitly match allowed values and reject others. | LLM | clawbot-skill/scripts/execute-trade.sh:10 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/krajekisbtc/polymarketbtc/dist-slim/src/data/chainlink.js:35 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/krajekisbtc/polymarketbtc/dist-slim/src/trading/polymarketTrader.js:10 | |
| MEDIUM | Unpinned npm dependency version Dependency 'dotenv' is not pinned to an exact version ('^16.4.5'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/krajekisbtc/polymarketbtc/dist-slim/package.json | |
| MEDIUM | Potential Data Exfiltration via Proxy Configuration The `src/net/proxy.js` file actively reads `ALL_PROXY`, `HTTPS_PROXY`, and `HTTP_PROXY` environment variables and configures the skill's network requests to use these proxies. While this functionality itself is not malicious, it creates a significant data exfiltration risk. If the environment where the skill runs is compromised, or if a user is tricked into configuring a malicious proxy, all network traffic from the skill, including sensitive API keys or other data (e.g., `POLYMARKET_PRIVATE_KEY` used in `polymarketTrader.js`), could be intercepted and exfiltrated by the proxy. Implement strict validation or whitelisting for proxy URLs if proxy functionality is essential. Consider disabling proxy support by default or requiring explicit user consent/configuration within the skill's own settings rather than relying solely on environment variables, especially for sensitive operations. Educate users about the risks of configuring untrusted proxies. | LLM | src/net/proxy.js:13 | |
| LOW | Widespread Direct Access to Sensitive Environment Variables Multiple files (`src/trade-cli.js`, `src/clawbot-execute.js`, `src/get-signal.js`, `src/monitor-daemon.js`, `src/monitor-runner.js`, `src/trading/clawbotContext.js`, `src/trading/polymarketTrader.js`, `src/trading/positionMonitor.js`) directly access or rely on functions that access `process.env.POLYMARKET_PRIVATE_KEY` and `POLYMARKET_FUNDER`. While these credentials are necessary for the skill's operation, their widespread direct access increases the attack surface. If the environment is compromised, or if these variables are not securely managed at rest, it could lead to unauthorized access or misuse. The `SKILL.md` also explicitly highlights these as required, indicating their sensitive nature. Consider centralizing credential access to a single, well-secured module. Implement robust environment variable management practices, such as using secrets management tools or encrypted storage for production deployments. Ensure that environment variables are never logged or exposed in error messages. | LLM | src/trading/polymarketTrader.js:10 |
Scan History
Embed Code
[](https://skillshield.io/report/9da1bf4880f0b064)
Powered by SkillShield