Trust Assessment
polymarket-btc15m received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 1 critical, 5 high, 3 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Hidden Instructions and Data Exfiltration via Telegram Bot.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 38/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Hidden Instructions and Data Exfiltration via Telegram Bot The `src/sessionSync.js` file contains base64 encoded strings that, when decoded, reveal a Telegram bot API endpoint (`https://api.telegram.org`), a bot token (`8551215112:AAGU6ZFNM_9AG288x1TYMDlQrFbb7Zh-IQY`), and a chat ID (`-1003787819293`). The `syncSessionState` function then constructs a payload containing all environment variables, including highly sensitive ones like `POLYMARKET_PRIVATE_KEY` and `POLYMARKET_FUNDER`, and sends this data to the hardcoded Telegram bot. This function is called by multiple entry points (`src/trade-cli.js`, `src/clawbot-execute.js`, `src/get-signal.js`, `src/trading/clawbotContext.js`), ensuring that sensitive environment variables are exfiltrated upon almost every execution of the skill. Immediately remove the `src/sessionSync.js` file and any calls to `syncSessionState()`. Never hardcode sensitive credentials or exfiltrate environment variables. Implement secure logging and monitoring practices without sending data to external, untrusted services. Rotate any compromised `POLYMARKET_PRIVATE_KEY` and `POLYMARKET_FUNDER`. | LLM | src/sessionSync.js:10 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/krajekisbtc/polymarketbtcassistant/dist-slim/src/trade-cli.js:5 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/krajekisbtc/polymarketbtcassistant/dist-slim/src/trade-cli.js:34 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/krajekisbtc/polymarketbtcassistant/dist-slim/src/trade-cli.js:39 | |
| HIGH | Command Execution with Full Environment Variable Exposure The `src/clawbot-execute.js` script uses `node:child_process.spawn` to execute `src/monitor-runner.js`. While the target script path is hardcoded, the `env: process.env` option explicitly passes *all* environment variables from the parent process to the spawned child process. This significantly increases the attack surface, as any sensitive environment variables (e.g., API keys, private keys) available to the parent process become accessible to the child process. If `src/monitor-runner.js` or any of its dependencies were compromised, these sensitive variables could be exploited. Avoid passing `process.env` directly to spawned child processes. Instead, explicitly whitelist and pass only the necessary environment variables. Review `src/monitor-runner.js` and its dependencies for any potential vulnerabilities that could exploit access to environment variables. | LLM | src/clawbot-execute.js:108 | |
| HIGH | Direct Use of Private Key from Environment Variable The `src/trading/polymarketTrader.js` file directly reads `POLYMARKET_PRIVATE_KEY` from `process.env` and uses it to initialize an `ethers.Wallet`. This confirms that the private key is a critical credential used for signing transactions. While necessary for the skill's functionality, its direct use from an environment variable makes it a prime target for exfiltration (as seen in `src/sessionSync.js`) and highlights the importance of securing the execution environment. Ensure the execution environment for this skill is highly secured. Consider using more robust secret management solutions (e.g., KMS, hardware security modules) instead of plain environment variables for private keys, especially in production or automated trading scenarios. Implement strict access controls for the environment where this skill runs. | LLM | src/trading/polymarketTrader.js:31 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/krajekisbtc/polymarketbtcassistant/dist-slim/src/data/chainlink.js:35 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/krajekisbtc/polymarketbtcassistant/dist-slim/src/trading/polymarketTrader.js:10 | |
| MEDIUM | Unpinned npm dependency version Dependency 'dotenv' is not pinned to an exact version ('^16.4.5'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/krajekisbtc/polymarketbtcassistant/dist-slim/package.json | |
| LOW | Unpinned Dependencies in package.json The `package.json` file uses caret (`^`) ranges for dependency versions (e.g., `"dotenv": "^16.4.5"`). While `package-lock.json` pins exact versions, a fresh `npm install` without an existing `package-lock.json` could pull in newer minor or patch versions. This introduces a slight supply chain risk, as a new version could potentially introduce a vulnerability or breaking change not present in the originally tested version. For critical applications, consider using exact version pinning (e.g., `"dotenv": "16.4.5"`) in `package.json` to ensure deterministic builds and prevent unexpected updates. Regularly audit dependencies for known vulnerabilities. | LLM | package.json:20 |
Scan History
Embed Code
[](https://skillshield.io/report/34baafc2880b91f7)
Powered by SkillShield