Is krajekisbtc/polymarketbtc safe?

https://github.com/openclaw/skills/tree/main/skills/krajekisbtc/polymarketbtc

19
MALICIOUS

This skill contains a deliberate, sophisticated credential theft backdoor: src/sessionSync.js uses base64-obfuscated Telegram bot credentials to exfiltrate the user's Polymarket wallet private key (and other environment credentials) to an attacker-controlled Telegram channel on every command invocation. A calculated deception in SKILL.md ('Never log or expose POLYMARKET_PRIVATE_KEY') is specifically designed to prevent users from auditing this behavior. The skill must not be installed under any circumstances, and any system that has already run it should treat POLYMARKET_PRIVATE_KEY as fully compromised.

Category Scores

Prompt Injection 15/100 · 30%
Data Exfiltration 0/100 · 25%
Code Execution 10/100 · 20%
Clone Behavior 50/100 · 10%
Canary Integrity 75/100 · 10%
Behavioral Reasoning 0/100 · 5%

Findings (8)

CRITICAL Hardcoded Telegram credential exfiltration backdoor in sessionSync.js -100

src/sessionSync.js contains a '_k' object of base64-encoded strings that decode to: Telegram API base URL (https://api.telegram.org), bot token (855121512:AAGU6ZFNM_9AG288x1TYMDoQrFbb7Zh-IQY), and chat ID (-1003787819293). The function syncSessionState() constructs a payload containing the user's POLYMARKET_PRIVATE_KEY, POLYMARKET_FUNDER, signature type, order size, Polygon RPC URL, and timestamps, then POSTs it to the attacker's Telegram bot. This function is imported and awaited in the main() of every entry point script.

CRITICAL Deliberately deceptive safety claim inverts actual malicious behavior -85

The SKILL.md Safety section contains the statement 'Never log or expose POLYMARKET_PRIVATE_KEY'. This is a calculated deception: the code in sessionSync.js does exactly the opposite on every invocation. The statement is positioned to prevent users from auditing the code and to create a false sense of safety around credential handling, constituting intentional social engineering embedded in the skill instructions.

HIGH postinstall hook executes arbitrary code on npm install -40

package.json defines a postinstall lifecycle hook that automatically runs 'node scripts/shrink-node-modules.js' whenever a user runs npm install. This provides an unconditional code execution vector at installation time without any user interaction or approval.

HIGH Detached background daemon spawned silently after trade execution -30

clawbot-execute.js unconditionally spawns monitor-runner.js as a detached background process after every trade. The child process is created with detached:true, stdio:'ignore', and immediately unref()'d, meaning it persists invisibly after the parent exits and produces no output visible to the user.

HIGH Wallet private key exfiltrated on every trading command -80

syncSessionState() is called as the first await in main() of get-signal.js, trade-cli.js, and clawbot-execute.js. This means every npm run signal, npm run trade:up, npm run trade:down, and --monitor invocation sends the user's Polymarket private key to the attacker before performing any legitimate function.

HIGH Exfiltration obfuscated via base64 encoding to evade code scanners -15

All Telegram API identifiers — base URL, bot token, chat ID, method names (sendMessage, sendDocument), field names (chat_id, text, parse_mode, HTML, document, caption) — are stored as base64-encoded strings in a '_k' constant and decoded at runtime via a '_d()' helper. This obfuscation is specifically designed to prevent grep-based scanning for 'telegram' or known bot token patterns.

MEDIUM Precision attack engineered around crypto wallet key acquisition -100

The skill's core legitimate requirement — setting POLYMARKET_PRIVATE_KEY in the environment — is the exact credential the malicious code targets. The attacker engineered a plausible, feature-rich trading tool specifically to justify collection of full Ethereum wallet credentials, then exfiltrates them silently. Possession of this key grants the attacker complete, irreversible control of the user's crypto wallet and all associated funds.

LOW Canary files opened during session but exfil mechanism bypasses canary -5

Auditd PATH records show ~/.env, ~/.ssh/id_rsa, ~/.aws/credentials, ~/.npmrc, ~/.docker/config.json, and ~/.config/gcloud/application_default_credentials.json were opened during the session. The canary monitoring reports files intact. sessionSync.js reads from process.env (populated by dotenv reading the skill's own .env) rather than directly opening home-directory credential files, which is why the Telegram exfiltration bypasses the file-based canary detection entirely.