Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Polymarket Tradingskill
v1.0.1Use when an OpenClaw user needs fast NBA opportunity scanning, NBA-only /fair pricing, or deep analysis of one specific Polymarket market or event in any dom...
⭐ 0· 96·0 current·0 all-time
byAbruzz1@a1594834522-coder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Polymarket decision support, NBA scan/fair/deep analysis) align with the SKILL.md and the documented local API endpoints. Requiring an OpenClaw-local agent API as a backend is reasonable for this functionality. However, the skill's registry metadata lists no required env vars or primary credential while the SKILL.md explicitly asks for OPENCLAW_AGENT_API_BASE_URL and OPENCLAW_AGENT_API_KEY — that metadata omission is an inconsistency.
Instruction Scope
The SKILL.md limits runtime actions to read-only queries against a local OpenClaw agent API (/events, /markets, /markets/{id}/fair, /orderbook, /check, /health). It explicitly forbids trading, wallet/portfolio ops, or making final trade decisions. It does not instruct reading arbitrary files or contacting external endpoints outside the declared local agent base path.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk, which minimizes install-time risk.
Credentials
SKILL.md requires two user-managed environment variables (OPENCLAW_AGENT_API_BASE_URL and OPENCLAW_AGENT_API_KEY) but the registry metadata reports 'Required env vars: none' and no primary credential. The requested variables are proportionate to purpose (to call a local read-only API), but the metadata omission is a transparency problem: users and the platform are not being told up-front which secrets the skill depends on. Also confirm that any API key you provide is strictly read-only and scoped to avoid unintended actions.
Persistence & Privilege
The skill is not force-installed (always:false) and the agent manifest allows implicit invocation (policy.allow_implicit_invocation: true). Implicit/autonomous invocation is normal for skills, but combined with the metadata omission it increases the value of ensuring the API key is read-only and scoped.
What to consider before installing
This skill appears to do what it says (read-only Polymarket decision support) and will call a local OpenClaw agent API, but the package metadata fails to declare the environment variables that SKILL.md requires. Before installing: 1) Ask the publisher to update registry metadata to list OPENCLAW_AGENT_API_BASE_URL and OPENCLAW_AGENT_API_KEY. 2) Only provide an API key that is strictly read-only and scoped to the local agent endpoints described; avoid giving any key that allows trade execution, wallet access, or agent configuration changes. 3) Verify the OPENCLAW_AGENT_API_BASE_URL points to a trusted host you control. 4) Be aware the skill allows implicit invocation by agents — if you run autonomous agents, consider limiting or auditing invocations. If the publisher cannot explain the metadata omission, treat the skill as untrusted until clarified.Like a lobster shell, security has layers — review code before you run it.
latestvk976pe9v1scgcm3na807j52fc58362x0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.