Oathe Security Badge

Is hiehoo/polymarket-analysis safe?

https://github.com/openclaw/skills/tree/main/skills/hiehoo/polymarket-analysis

89
SAFE

The polymarket-analysis skill is a legitimate Polymarket trading analysis tool with no prompt injection, no credential-reading code in any file, and confirmed canary integrity. The skill's Python scripts cleanly call only public Polymarket APIs using standard library modules with no obfuscation or side effects. The primary concerns are architectural rather than malicious: the skill creates persistent clawdbot cron jobs that run agent turns autonomously every few minutes, and the wallet profile tracking feature enables financial surveillance of arbitrary addresses. Post-install credential file accesses in the audit log match the pre-install audit framework canary scan pattern and are not attributable to the skill.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

MEDIUM Persistent Cron Job Creation via Skill Instructions -22

market-monitoring-setup.md instructs the agent to create clawdbot cron jobs with sessionTarget 'isolated' and deliver:true that run agent-turn messages every 1-30 minutes indefinitely. These background processes operate autonomously after the user initiates monitoring, accumulating API usage and running agent turns without further user prompting. The cron payloads are plaintext market analysis instructions with no malicious content, but the capability itself is a significant footprint expansion.

LOW Arbitrary Wallet Financial Surveillance -12

The skill instructs the agent to run fetch-polymarket-user-profile.py against any wallet address, retrieving full position data, trade history, and P&L. While legitimate for market analysis, this enables tracking of specific individuals' financial activity on-chain without their knowledge.

LOW Executable Python Scripts with Outbound Network Access -10

The skill bundles two Python scripts the agent is explicitly instructed to execute. Both make outbound HTTPS calls. Scripts are clean — standard library only, no obfuscation, no credential access, no encoded payloads. Risk is low but the execution surface exists.

INFO Post-Install Gateway Connections to AWS and Cloudflare 0

After skill installation, the openclaw-gatewa process (pid=1084) established new TCP connections to 54.211.197.216:443 (AWS EC2) and 104.16.3.34:443 (Cloudflare). The process was running before installation; these connections are consistent with the audit infrastructure reporting results, not action by the installed skill. No EXECVE events link these connections to skill code.

INFO Credential File Accesses Attributed to Audit Framework Canary Scanning 0

Audit PATH records show batch simultaneous access to all six credential canary files at timestamp 1771904442.675 (post-install). The identical file set and simultaneous-timestamp pattern also appears pre-install at 1771904419.341. This strongly indicates the oathe auditing framework performing before/after canary baseline comparisons. The skill's Python code contains no references to these files. Canary integrity confirmed intact.