polyclaw

The PolyClaw skill presents a coherent alignment with its stated purpose of trading on Polymarket and hedging with LLM assistance, including market browsing, wallet management, trading via CLOB, and P&L tracking. However, there are notable security and data-flow concerns: sensitive credentials (private key, API keys) are exposed via environment variables; trading relies on a rotating proxy (HTTPS_PROXY) that introduces external data paths and potential leakage; there is dependency on a third-party tool installed through a package manager without explicit verification. The data flow and external API interactions are consistent with the intended functionality but carry elevated risk due to credential exposure and indirect network routing. Overall, the skill is SUSPICIOUS rather than BENIGN, given the combination of sensitive credential handling, external proxy usage for critical financial operations, and lack of explicit security hardening measures. Recommend implementing credential vaulting (encrypted storage/retrieval), explicit TLS/proxy trust boundaries, explicit version pinning and checksums for dependencies, and user-confirmed actions for trades with logs stored locally or securely. If these mitigations are not adopted, treat as HIGH risk for credential exposure and external data flow.