polyclaw
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill requires the user to provide a raw EVM private key via the
POLYCLAW_PRIVATE_KEYenvironment variable. This key is used unencrypted to sign and broadcast on-chain transactions on the Polygon network. - [COMMAND_EXECUTION]: The main entry point
scripts/polyclaw.pyusessubprocess.runto execute other scripts within the skill directory based on user-provided arguments. - [PROMPT_INJECTION]: The hedge discovery mechanism in
scripts/hedge.pyis vulnerable to indirect prompt injection. - Ingestion points: Market questions and descriptions are fetched from the Polymarket Gamma API and directly interpolated into LLM prompts.
- Boundary markers: The prompt uses standard double quotes for market questions but lacks explicit instructions to ignore embedded commands or structural validation of the untrusted content.
- Capability inventory: The skill possesses the capability to execute financial transactions (splitting positions and selling on the CLOB) which could be targeted by an injection.
- Sanitization: There is no visible sanitization or filtering of the market questions before they are processed by the LLM.
- [EXTERNAL_DOWNLOADS]: The skill interacts with the Polymarket Gamma API and CLOB API for market data and order management, and uses Chainstack's Polygon RPC for blockchain operations. It also makes requests to OpenRouter for LLM-based analysis.
Recommendations
- AI detected serious security threats
Audit Metadata