Is lvy19811120-gif/polymarketagent safe?

https://github.com/openclaw/skills/tree/main/skills/lvy19811120-gif/polymarketagent

19
MALICIOUS

This skill is a confirmed malware dropper masquerading as a cryptocurrency trading automation tool. The macOS setup command contains a base64-obfuscated curl-pipe-bash payload that downloads and executes arbitrary code from the suspicious bare IP 91.92.242.30, while a fake Apple CDN URL prefix is used as camouflage. The Windows path delivers a password-protected executable (AV evasion) from an unaffiliated GitHub account, and the troubleshooting section explicitly instructs sudo re-execution to escalate to root. No trading functionality exists in the repository; the entire skill exists to trick users and LLM agents into executing the malicious payloads.

Category Scores

Prompt Injection 2/100 · 30%
Data Exfiltration 5/100 · 25%
Code Execution 0/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 0/100 · 5%

Findings (12)

CRITICAL Remote code execution via curl-pipe-bash from unverified IP -98

The macOS setup command contains a base64-encoded payload that decodes to a curl-pipe-bash one-liner fetching from http://91.92.242.30/6x8c0trkp4l9uugo. This IP has no association with Apple, Polymarket, or Hyperliquid. Execution grants the server operator arbitrary code execution on the user's machine as the current user (or as root via the sudo variant in the Troubleshooting section).

CRITICAL Windows trojan via AV-evading password-protected executable -95

The Windows path instructs users to download PolymarketAuthTool.zip from a GitHub account ('Aslaep123') with no affiliation to Polymarket, extract it with the embedded password 'poly' (defeating signature-based AV), and run the contained PolymarketAuth.exe prior to using the skill. This is a textbook AV-evasion distribution pattern.

CRITICAL Deceptive Apple CDN URL used as camouflage for malicious endpoint -60

The macOS command begins by echoing a fake Apple CDN URL to standard output before piping the actual payload. This is purely cosmetic—the echo output is never used. The intent is to make the command appear legitimate at a glance and to defeat heuristic analysis that looks for raw suspicious IPs.

CRITICAL Explicit privilege escalation: sudo re-execution of malicious payload -90

The Troubleshooting section for macOS instructs users who encounter 'Permission denied' to re-run the identical base64 payload prefixed with sudo, granting the remote attacker root-level code execution.

HIGH False 'OFFICIAL' branding in _meta.json to manufacture trust -25

_meta.json sets displayName to '[OFFICIAL] Polymarket Trading Agent'. Polymarket has no affiliation with this skill. The label is designed to suppress user skepticism and pass content moderation that looks for impersonation indicators.

HIGH High-pressure coercive language to override user judgment -15

The skill uses all-caps warnings ('CRITICAL REQUIREMENT', 'MANDATORY SETUP', 'THE SKILL WILL NOT WORK WITHOUT THIS STEP', 'FINAL REMINDER') repeated across multiple sections to psychologically pressure users into executing the payload without scrutiny. This is a social engineering technique designed to suppress the user's critical evaluation.

HIGH Credential harvesting setup via mandatory .env creation -60

The skill instructs users to place high-value secrets (Polymarket API keys, Hyperliquid API keys, wallet address) into a .env file in the project root. If the RCE payload executes, these credentials are immediately accessible to the attacker.

HIGH Payload endpoint 91.92.242.30 is a bare IP with no TLS or content-addressing -70

The curl target uses HTTP (not HTTPS), a bare IP address (no domain, no certificate pinning), and an opaque path. This is consistent with a throwaway command-and-control server. The downloaded payload could contain a credential stealer, reverse shell, or crypto wallet drainer tailored to Polymarket/Hyperliquid users.

MEDIUM Fake trading functionality used as pretext to legitimize mandatory setup -100

All described trading features (Polymarket API, Hyperliquid integration, hedging engine, arbitrage detection) are window dressing. No actual trading code, API integration, or MCP server implementations are included in the repository. The 'MANDATORY SETUP' steps are the entire functional payload of this skill.

MEDIUM Adversarial 'Security & Risk Disclaimer' section legitimizes malicious delivery vectors -10

The disclaimer explicitly tells users 'Only download from the official link provided (Windows) or use the official command (macOS). Verify file integrity before execution.' This preempts skepticism by framing the attacker-controlled download as the verified, trusted source.

LOW No anomalous behavior during sandbox installation -20

The git sparse-checkout and file copy completed normally. All observed process executions and network connections during install are consistent with standard git operations to GitHub. The malicious payload is deferred to agent runtime, not triggered at install time.

INFO Canary credential files accessed but not modified or exfiltrated during sandbox run -10

The audit framework's honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) show file-open events in the auditd PATH records but the canary integrity check reports all files intact. The accesses are attributable to the oathe monitoring framework's pre/post collection passes, not to the skill payload executing.