Polymarket OpenClaw Trader
v1.0.0Reusable Polymarket + OpenClaw trading operations skill for any workspace. Use when the user needs to set up, run, tune, monitor, and deploy an automated Pol...
⭐ 0· 234·1 current·1 all-time
byOrnata@08820048
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (automated Polymarket trading) legitimately requires wallet/private-key and runtime flags; the SKILL.md indeed documents POLYMARKET_PRIVATE_KEY, POLYMARKET_WALLET_ADDRESS, EXECUTION_MODE, etc. However, the registry metadata declares no required env vars or primary credential, which is inconsistent and misleading for a trading skill that handles secrets.
Instruction Scope
SKILL.md gives concrete runtime steps (cd into project, edit .env, run cli_bot.py, restart processes, deploy web_app, git commits). Those actions are within scope for operating a trading bot. It explicitly warns not to echo private keys, and to only write private keys with explicit user authorization. Still, the instructions do instruct writing secrets into .env and running background processes — actions that can expose secrets or be misused if the origin of the skill or project isn't verified.
Install Mechanism
No install spec and no code files — instruction-only. This is lower risk than arbitrary install scripts because nothing will be pulled/installed automatically by the skill metadata.
Credentials
The SKILL.md lists multiple sensitive environment variables (private key, wallet address, optional funder and webhook). The registry metadata, however, lists none and provides no primary credential. Requesting private keys and webhook URLs is reasonable for a trader, but the omission from metadata is a red flag: consumers won't be warned in advance about required secrets, increasing risk of accidental disclosure. Optional DISCORD_WEBHOOK_URL could also be used to send data externally if misconfigured.
Persistence & Privilege
always:false and no install means the skill doesn't demand permanent presence or system-wide configuration. SKILL.md does suggest updating project memory and git commits in the project repository, which is expected for deployment/maintenance and limited in scope to the project itself.
What to consider before installing
This skill is instruction-only and appears to be what it says (a Polymarket/OpenClaw trading operations guide), but the registry metadata fails to declare the sensitive environment variables the instructions require. Before using or trusting this skill: 1) Verify the skill's source and request a homepage or repo; 2) Do not paste your real private key into any system unless you fully trust the project and have audited the bot code; prefer paper mode and read-only credentials for initial testing; 3) If you must use a key, consider offline signing or a restricted key and keep funds minimal; 4) Treat any webhook URL (e.g., DISCORD_WEBHOOK_URL) as capable of exfiltrating data — review what the bot will post and restrict the endpoint; 5) Ask the publisher to update registry metadata to list required env vars/primary credential so consumers are warned; 6) Run initial tests in an isolated environment and review logs/behavior before using live funds. If you cannot verify the origin or code of the project, be cautious and consider this skill suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk97axph9ewrz6yak3qbp9qkt2182edx9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.