Polymarket-Brain Security Report — Low Risk | ClawSafe

5 /100

Polymarket-Brain

Automated geopolitical and macroeconomic analysis pipeline that fetches CNBC news, routes to expert skills, matches Polymarket prediction markets, and delivers trading recommendations to Discord

A legitimate market-analysis pipeline that fetches news, routes to expert skills, matches Polymarket markets, and posts to Discord. No malicious indicators found—no credential theft, exfiltration, obfuscation, or undeclared sensitive behavior.

Skill NamePolymarket-Brain

Duration75.7s

Enginepi

✓

Safe to install

Approve for use. Consider pinning Discord webhook URLs in environment variables rather than hardcoding across scripts.

Findings 3 items

Severity	Finding	Location
Low	subprocess usage not explicitly declared in SKILL.md Doc Mismatch SKILL.md describes Phase 1 as running a CNBC fetcher script but does not explicitly mention that subprocess.run is used to invoke it. This is a minor documentation gap; the behavior is otherwise consistent with the documented capability and the subprocess calls only execute local, documented Python scripts. `result = subprocess.run(["python", "scripts/fetch_cnbc_geopolitics.py", ...], cwd=CNBC_SKILL, ...)` → Add a 'Shell Commands' section to SKILL.md documenting the subprocess calls to cnbc-geopolitics-fetcher, geopolitics-expert, and the-fed-agent scripts.	`polymarket_brain_orchestrator.py:68`
Low	Hardcoded Windows user path in multiple scripts Doc Mismatch Several scripts contain hardcoded paths referencing 'C:\Users\Legion 5i Pro\' or 'LEGION~1', creating portability issues and potentially leaking a username. These are cosmetic and do not constitute malicious behavior. `BASE = Path(r"C:\Users\LEGION~1\AppData\Local\.browseros\skills")` → Use os.environ['USERPROFILE'] or environment-variable-based paths for portability.	`run_workflow.py:11`
Low	Discord webhook tokens hardcoded in source files Sensitive Access Discord webhook URLs with embedded tokens are hardcoded across multiple Python files (send_discord.py, send_to_discord.py, orchestrator.py, etc.). These are public Discord webhook tokens used for posting messages—not true secrets—but hardcoding them is a poor practice. `WEBHOOK_URL = "https://discord.com/api/webhooks/1483478506070474922/ReIZsU3K..."` → Load webhooks from environment variables or a config file excluded from version control.	`send_discord.py:9`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	urllib/requests to CNBC RSS, Polymarket API, Discord webhooks—all documented and…
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Writes output JSON, analysis files, logs to output/ and memory/ directories
Shell	`WRITE`	`WRITE`	✓ Aligned	subprocess.run([sys.executable, script]) for local Python scripts—documented and…
Environment	`NONE`	`READ`	✓ Aligned	Reads USERPROFILE, APPDATA, SKILLS_ROOT, PYTHONIOENCODING—standard env vars for …
Skill Invoke	`READ`	`READ`	✓ Aligned	Routes to geopolitics-expert, the-fed-agent via keyword classification
Clipboard	`NONE`	`NONE`	—	Not used
Browser	`NONE`	`NONE`	—	Not used; references to browser skills are routing logic, not actual browser inv…
Database	`NONE`	`NONE`	—	Not used

62 findings

🔗

Medium External URL 外部 URL

https://discord.com/api/webhooks/1483478506070474922/ReIZsU3KTpXqNseTWFBNsuPJ-FbYgqEuCTELtMHRWw4ND8vVjMUr36b6LyusiOoJn66...

FINAL_SUMMARY.txt:82

🔗

Medium External URL 外部 URL

https://discord.com/api/webhooks/1483478506070474922/...

INSTALLATION_COMPLETE.txt:101

🔗

Medium External URL 外部 URL

https://polymarket.com/event/will-the-iranian-regime-fall-by-june-30

KNOWLEDGE_SNAPSHOT.json:41

🔗

Medium External URL 外部 URL

https://polymarket.com/event/us-x-iran-ceasefire-by

KNOWLEDGE_SNAPSHOT.json:46

🔗

Medium External URL 外部 URL

https://polymarket.com/event/iran-x-israelus-conflict-ends-by

KNOWLEDGE_SNAPSHOT.json:51

🔗

Medium External URL 外部 URL

https://polymarket.com/event/us-forces-enter-iran-by

KNOWLEDGE_SNAPSHOT.json:56

🔗

Medium External URL 外部 URL

https://polymarket.com/event/iran-leadership-change-by

KNOWLEDGE_SNAPSHOT.json:61

🔗

Medium External URL 外部 URL

https://polymarket.com/event/fed-decision-in-march

KNOWLEDGE_SNAPSHOT.json:66

🔗

Medium External URL 外部 URL

https://polymarket.com/event/will-crude-oil-cl-hit-by-end-of-march

KNOWLEDGE_SNAPSHOT.json:71

🔗

Medium External URL 外部 URL

https://polymarket.com/event/us-recession-by-end-of-2026

KNOWLEDGE_SNAPSHOT.json:76

🔗

Medium External URL 外部 URL

https://www.cnbc.com/world-politics/

PERSISTENCE_VERIFICATION.md:36

🔗

Medium External URL 外部 URL

https://polymarket.com/

PERSISTENCE_VERIFICATION.md:37

🔗

Medium External URL 外部 URL

https://discord.com/api/webhooks/1482043765471445333/YOUR_KEY_HERE

README.md:84

🔗

Medium External URL 外部 URL

https://discord.com/api/webhooks/1482043765471445333/YOUR_KEY

README.md:89

🔗

Medium External URL 外部 URL

https://discord.com/api/webhooks/1483478506070474922/YOUR_KEY

README.md:90

🔗

Medium External URL 外部 URL

https://discord.com/api/webhooks/1482043765471445333/...

SKILL.md:32

🔗

Medium External URL 外部 URL

https://polymarket.com/event/will-crude-oil-cl-hit__-by-end-of-march

SKILL.md:252

🔗

Medium External URL 外部 URL

https://polymarket.com/event/will-crude-oil-cl-hit-100-by-end-of-march

SKILL.md:253

🔗

Medium External URL 外部 URL

https://discord.com/...

TROUBLESHOOTING.md:169

🔗

Medium External URL 外部 URL

https://polymarket.com/event/

ai_analyzer.py:401

🔗

Medium External URL 外部 URL

https://www.cnbc.com/2026/03/17/iran-war-uae-energy-gas-field-oil-fujairah-strait-of-hormuz.html

analysis/geopolitics-expert-2026-03-17.md:5

🔗

Medium External URL 外部 URL

https://www.cnbc.com/2026/03/17/treasury-yields-middle-east-tensions-fed-decision.html

analysis/the-fed-agent-2026-03-17.md:5

🔗

Medium External URL 外部 URL

https://www.cnbc.com/2026/03/18/trump-jones-act-oil-iran-war.html

output/analysis_input_1.json:4

🔗

Medium External URL 外部 URL

https://www.cnbc.com/2026/03/18/vance-oil-industry-gas-prices-iran-war.html

output/analysis_input_2.json:4

🔗

Medium External URL 外部 URL

https://www.cnbc.com/2026/03/18/dot-plot-fed-still-expects-to-cut-rates-once-this-year-despite-spiking-oil-prices-.html

output/analysis_input_5.json:4

🔗

Medium External URL 外部 URL

https://polymarket.com/event/will-the-iranian-regime-fall-by-the-end-of-2026

output/discord-message.md:35

🔗

Medium External URL 外部 URL

https://polymarket.com/event/us-iran-nuclear-deal-before-2027

output/discord-message.md:36

🔗

Medium External URL 外部 URL

https://polymarket.com/event/will-the-us-invade-iran-before-2027

output/discord-message.md:37

🔗

Medium External URL 外部 URL

https://polymarket.com/event/russia-x-ukraine-ceasefire-before-2027

output/discord-message.md:38

🔗

Medium External URL 外部 URL

https://polymarket.com/event/oil-exceeds-120-before-june-2026

output/discord-message.md:39

🔗

Medium External URL 外部 URL

https://www.cnbc.com/2026/03/18/european-markets-stoxx-600-ftse-dax-cac-iran-news-oil-prices.html

output/phase2_analyses.json:91

🔗

Medium External URL 外部 URL

https://www.cnbc.com/2026/03/18/ai-data-center-buildout-jobs-salary-skilled-traders-worker-shortage.html

output/phase2_analyses.json:124

🔗

Medium External URL 外部 URL

https://polymarket.com/event/will-iranian-regime-fall-by-june-30?

output/phase3_markets.json:12

🔗

Medium External URL 外部 URL

https://polymarket.com/event/us-x-iran-ceasefire-by-december-31?

output/phase3_markets.json:22

🔗

Medium External URL 外部 URL

https://polymarket.com/event/us-forces-enter-iran-by-december-31?

output/phase3_markets.json:32

🔗

Medium External URL 外部 URL

https://polymarket.com/event/will-crude-oil-hit-$100+-by-end-of-march?

output/phase3_markets.json:42

🔗

Medium External URL 外部 URL

https://polymarket.com/event/us-recession-by-end-of-2026?

output/phase3_markets.json:52

🔗

Medium External URL 外部 URL

https://polymarket.com/event/will-crude-oil-cl-hit-120-by-june-30

output/polymarket-brain-summary-2026-03-17.md:60

🔗

Medium External URL 外部 URL

https://discord.com/api/webhooks/1482043765471445333/-cHOLCqBtvU_Wua8STfoINes7J0pFNFsXB27EJ3f8F7BklC5P_OkIGAx2HQLDPZe1bN...

polymarket_brain_orchestrator.py:30

🔗

Medium External URL 外部 URL

https://www.cnbc.com/iran-gulf

polymarket_brain_orchestrator.py:356

🔗

Medium External URL 外部 URL

https://www.cnbc.com/oil-hormuz

polymarket_brain_orchestrator.py:357

🔗

Medium External URL 外部 URL

https://www.cnbc.com/fed-stagflation

polymarket_brain_orchestrator.py:358

🔗

Medium External URL 外部 URL

https://gamma-api.polymarket.com/events

references/config.md:7

🔗

Medium External URL 外部 URL

https://polymarket.com/event/iran-x-us-israel-conflict-ends-by-2026

references/discord-format.md:43

🔗

Medium External URL 外部 URL

https://polymarket.com/event/iran-leadership-change-2026

references/discord-format.md:45

🔗

Medium External URL 外部 URL

https://www.cnbc.com/2026/03/17/epstein-pam-bondi-trump-doj-subpoena.html

scripts/cnbc_articles_output.md:7

🔗

Medium External URL 外部 URL

https://www.cnbc.com/2026/03/17/trump-nato-iran-war-allies-china.html

scripts/cnbc_articles_output.md:24

🔗

Medium External URL 外部 URL

https://www.cnbc.com/2026/03/17/save-america-act-voter-id-trump-senate.html

scripts/cnbc_articles_output.md:40

🔗

Medium External URL 外部 URL

https://www.cnbc.com/2026/03/17/dhs-shutdown-trump-homeland-security-senate-democrats-counteroffer.html

scripts/cnbc_articles_output.md:56

🔗

Medium External URL 外部 URL

https://www.cnbc.com/2026/03/17/this-tech-stock-is-primed-for-a-big-move-higher-how-to-trade-it-using-options.html

scripts/cnbc_articles_output.md:73

🔗

Medium External URL 外部 URL

https://polymarket.com/api

scripts/orchestrate.py:29

🔗

Medium External URL 外部 URL

https://polymarket.com/event/iran-regime-fall

scripts/orchestrate.py:152

🔗

Medium External URL 外部 URL

https://polymarket.com/event/us-iran-ceasefire

scripts/orchestrate.py:158

🔗

Medium External URL 外部 URL

https://polymarket.com/event/fed-rate-cut

scripts/orchestrate.py:166

🔗

Medium External URL 外部 URL

https://www\.cnbc\.com/[^\s

scripts/run_polymarket_brain.py:163

🔗

Medium External URL 外部 URL

https://polymarket.com/event/iran-conflict-ends-2026

scripts/send_discord_summary.py:113

🔗

Medium External URL 外部 URL

https://polymarket.com/market/fed

scripts/send_markets.py:20

🔗

Medium External URL 外部 URL

https://polymarket.com/market/inflation

scripts/send_markets.py:21

🔗

Medium External URL 外部 URL

https://polymarket.com/market/treasury

scripts/send_markets.py:22

🔗

Medium External URL 外部 URL

https://polymarket.com/market/stagflation

scripts/send_markets.py:23

🔗

Medium External URL 外部 URL

https://polymarket.com/market/oil

scripts/send_markets.py:24

🔗

Medium External URL 外部 URL

https://polymarket.com/event/will-the-iranian-regime-fall-by-june-30\n

test_message_length.py:39

File Tree

52 files · 242.7 KB · 6484 lines

Python 21f · 3479L Markdown 17f · 2236L JSON 11f · 427L Text 3f · 342L

├─ ▾ 📁 analysis

│ ├─ 📝 geopolitics-expert-2026-03-17.md Markdown 88L · 5.0 KB

│ └─ 📝 the-fed-agent-2026-03-17.md Markdown 75L · 4.5 KB

├─ ▾ 📁 memory

│ ├─ 📝 2026-03-17-cnbc-fed-treasurys.md Markdown 33L · 1.4 KB

│ └─ 📝 2026-03-17-cnbc-iran-uae.md Markdown 29L · 1.2 KB

├─ ▾ 📁 output

│ ├─ 📋 analysis_input_1.json JSON 7L · 256 B

│ ├─ 📋 analysis_input_2.json JSON 7L · 299 B

│ ├─ 📋 analysis_input_3.json JSON 7L · 256 B

│ ├─ 📋 analysis_input_4.json JSON 7L · 299 B

│ ├─ 📋 analysis_input_5.json JSON 7L · 312 B

│ ├─ 📝 discord-message.md Markdown 44L · 2.6 KB

│ ├─ 📋 discord-payload.json JSON 3L · 1.6 KB

│ ├─ 📋 phase1_articles.json JSON 49L · 4.4 KB

│ ├─ 📋 phase2_analyses.json JSON 136L · 6.9 KB

│ ├─ 📋 phase2_expert_analysis.json JSON 23L · 596 B

│ ├─ 📋 phase3_markets.json JSON 74L · 3.5 KB

│ └─ 📝 polymarket-brain-summary-2026-03-17.md Markdown 115L · 5.2 KB

├─ ▾ 📁 references

│ ├─ 📝 config.md Markdown 20L · 798 B

│ ├─ 📝 discord-format.md Markdown 96L · 4.0 KB

│ └─ 📝 workflow.md Markdown 176L · 6.7 KB

├─ ▾ 📁 scripts

│ ├─ 📝 cnbc_articles_output.md Markdown 80L · 4.3 KB

│ ├─ 🐍 orchestrate.py Python 259L · 9.6 KB

│ ├─ 🐍 orchestrator.py Python 298L · 10.4 KB

│ ├─ 🐍 run_full_workflow.py Python 314L · 9.3 KB

│ ├─ 🐍 run_polymarket_brain.py Python 373L · 13.2 KB

│ ├─ 🐍 run_workflow.py Python 195L · 6.7 KB

│ ├─ 🐍 send_discord_summary.py Python 134L · 5.5 KB

│ ├─ 🐍 send_discord.py Python 206L · 6.0 KB

│ └─ 🐍 send_markets.py Python 48L · 1.9 KB

├─ 🐍 ai_analyzer.py Python 440L · 18.2 KB

├─ 📄 FINAL_SUMMARY.txt Text 140L · 7.8 KB

├─ 📄 GUARANTEE.txt Text 83L · 5.3 KB

├─ 📄 INSTALLATION_COMPLETE.txt Text 119L · 7.2 KB

├─ 📋 KNOWLEDGE_SNAPSHOT.json JSON 107L · 4.5 KB

├─ 📝 PERSISTENCE_VERIFICATION.md Markdown 111L · 2.7 KB

├─ 🐍 polymarket_brain_orchestrator_FIXED.py Python 116L · 2.8 KB

├─ 🐍 polymarket_brain_orchestrator.py Python 386L · 14.9 KB

├─ 📝 PRE_TEST_CHECKLIST.md Markdown 64L · 2.0 KB

├─ 📝 README.md Markdown 227L · 8.4 KB

├─ 📝 RESTART_GUARANTEE.md Markdown 152L · 2.9 KB

├─ 🐍 run_phases_2_4.py Python 247L · 8.9 KB

├─ 🐍 send_discord.py Python 128L · 4.4 KB

├─ 🐍 send_to_discord.py Python 118L · 3.8 KB

├─ 📝 SKILL.md Markdown 452L · 13.6 KB

├─ 🐍 test_both_webhooks.py Python 17L · 785 B

├─ 🐍 test_message_length.py Python 59L · 1.9 KB

├─ 🐍 test_orchestrator_header.py Python 36L · 1.0 KB

├─ 🐍 test_phase1_webhook.py Python 12L · 502 B

├─ 🐍 test_urllib_headers.py Python 43L · 1.1 KB

├─ 🐍 test_urllib.py Python 43L · 1.1 KB

├─ 🐍 test_webhook.py Python 7L · 323 B

├─ 📝 TROUBLESHOOTING.md Markdown 370L · 8.6 KB

└─ 📝 WORKFLOW_LOGIC.md Markdown 104L · 3.1 KB

Security Positives

✓ No credential harvesting—skill never accesses ~/.ssh, ~/.aws, .env, or similar sensitive paths

✓ No data exfiltration—outbound network requests only to legitimate APIs (CNBC RSS, Polymarket API, Discord webhooks)

✓ No obfuscation—zero base64, atob, eval(), or hidden encoded payloads

✓ No remote script execution—subprocess only invokes local Python scripts within the skill bundle

✓ Documentation is accurate—SKILL.md accurately describes the 4-phase workflow and matches code behavior

✓ No supply chain threats—uses standard libraries (requests, urllib, json, subprocess) with no external dependencies declared

✓ Skill self-contains its outputs—analysis results written to local output/ directory, not exfiltrated

✓ Exit code 0 always on no-new-news is a good resilience pattern

✓ No persistence mechanisms—no cron, startup hooks, or backdoor installation detected

✓ Discord webhook tokens are public Discord webhooks (not server-side secrets) but still should be env-variable backed

Scan Report

Findings 3 items

File Tree

Security Positives