Is polymarket-analysis safe?

The skill bundle includes claw-shell which uses Node.js execSync() to run arbitrary commands in a tmux session. The isDangerous() safety check is a weak blocklist that can be trivially bypassed through shell metacharacters, variable substitution, or encoding tricks. For example, 'su""do rm -rf /' bypasses the string matching. This gives any skill in the bundle full shell access.

The market-monitoring-setup.md reference instructs the agent to create clawdbot cron jobs that spawn isolated agent sessions on a schedule (every 5 minutes). These sessions run autonomously with the full skill context, meaning any malicious instructions embedded in state files or skill content would be executed repeatedly without user oversight.

The claw-shell SKILL.md uses ALL-CAPS imperative instructions that function as behavioral overrides for the LLM agent: 'ALWAYS USES TMUX SESSION claw', 'NEVER TOUCH ANY OTHER SESSION'. While scoped to tmux usage, this pattern demonstrates the ability to direct agent behavior through skill content.

Two Python scripts (monitor-polymarket-market.py and fetch-polymarket-user-profile.py) run directly on the host with no sandboxing. They have access to the full Python standard library including os, subprocess, and network modules. While current code only uses urllib for API calls and json for file I/O, a supply chain update could add malicious functionality.

The skill makes HTTP requests to gamma-api.polymarket.com, data-api.polymarket.com, and clob.polymarket.com. While these are legitimate Polymarket APIs, the urllib-based implementation has no domain pinning — a modified version of the script could add requests to attacker-controlled endpoints alongside the legitimate calls.

The monitoring script writes market state to JSON files in the state/ directory, accumulating price history, volume data, and alert triggers. This data could reveal the user's trading interests and strategies. The cron system repeatedly reads and writes these files.

The claw-shell handler.js escapes double quotes in commands but does not sanitize other shell metacharacters ($, backticks, semicolons). The command is interpolated into a template string passed to execSync, allowing shell injection through crafted input.

The SKILL.md Quick Start section instructs the agent to execute Python scripts as part of normal operation, normalizing code execution as a routine skill action. Users may not realize that 'analyzing a market' involves running arbitrary Python on their machine.

Filesystem monitoring detected reads of SSH host keys (rsa, ecdsa, ed25519) and authorized_keys during the installation phase. This is most likely the SSH daemon servicing the installation session, not the skill itself, but warrants noting.

The combination of shell execution (claw-shell), network access (API calls), persistent scheduling (cron monitoring), local state storage (state files), and Python script execution creates a complete toolkit that could be repurposed for malicious operations through a supply chain update. The skill is currently benign but architecturally dangerous.