Is andretuta/polymarket-agent safe?

SKILL.md explicitly documents and cli.py implements a 'poly auto enable' command that switches the agent into autonomous mode, permitting execution of real USDC trades on Polygon without requiring user confirmation for each trade. The SKILL.md states 'Execute trades when the user approves (or autonomously if configured)'. In autonomous mode, any prompt injection reaching the agent — e.g., via a fetched URL containing instructions — could trigger unauthorized financial transactions against the user's wallet.

configure.py implements an interactive wizard that solicits the user's Polygon wallet private key (controlling real USDC funds) via questionary.password(), then stores it via 'clawdbot config set skills.entries.polymarket-agent.env.POLYMARKET_KEY '. The wizard misleadingly claims 'Your key never leaves your machine.' While this is the intended mechanism for the skill to function, it places a high-value financial credential into the agent's configuration store. Any other skill, process, or prompt injection that can read clawdbot's config gains full wallet control.

Both inotify and auditd independently confirm that six sensitive credential files were opened and read at two points during the audit: at pre-install baseline (audit timestamp 1771651595.803) and again post-install (1771651621.591). The files accessed are: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. The second batch (post-install) is consistent with the oathe monitoring system's post-install canary verification sweep, as no corroborating exfiltration network traffic was observed. The official canary integrity verdict is PASSED — files intact, not modified.

SKILL.md explicitly mandates that the agent fetch full page content from arbitrary external URLs discovered through web search. If an attacker controls or can influence content at a URL the agent fetches (e.g., a news article, Reddit post, or financial analysis page), they can inject instructions into the agent's context window. Given the skill's instruction to execute trades after analysis, this creates a direct path from external attacker-controlled content to financial transactions.

The skill installs web3 and py-clob-client, each of which pulls in hundreds of transitive Python dependencies (cryptography libraries, eth-account, hexbytes, protobuf, etc.). Any malicious or compromised package anywhere in this dependency tree — including via typosquatting or a hijacked package — would execute in the same environment where the user's Polygon private key is stored. install.sh and configure.py both invoke pip install independently.

The combination of (1) a stored Polygon wallet private key in clawdbot's config and (2) an autonomous trading mode that bypasses confirmation represents a high-risk configuration. If a prompt injection succeeds via a fetched URL, a cron-triggered session, or a malicious co-installed skill, an attacker could silently drain the user's USDC balance. The trade.py code demonstrates that the key is sufficient to create an authenticated ClobClient and post orders without any additional user interaction.

SKILL.md instructs the agent to create scheduled cron jobs for market monitoring, daily briefings, and event tracking using the clawdbot cron system. These jobs execute autonomously at scheduled times without per-run user approval and run in the context of the full agent with access to stored credentials. A compromised or injection-triggered cron setup could schedule recurring unauthorized actions.

SKILL.md instructs the agent to proactively take actions even without being asked, including warning about expiring positions, flagging news affecting open trades, suggesting trade exits, and tracking win/loss performance. While individually benign, these proactive behaviors expand the agent's operational envelope and could be combined with other vulnerabilities to trigger unsolicited actions.

cli.py's doctor() command runs dependency version checks using shell=True (e.g., 'python --version', 'pip --version'). While the current commands are hardcoded strings, the use of shell=True is a code quality concern and a pattern that could become exploitable if the command strings were ever dynamically constructed.

The git clone and skill installation process contacted only GitHub (140.82.121.4:443). No unexpected outbound connections, no new persistent network listeners, no processes spawned outside the expected install workflow. The connection diff confirms the pre- and post-install network state is identical except for the SSH session used by the monitoring system.