Polymarket MCP — Live Markets & Prices
PassAudited by ClawScan on May 14, 2026.
Overview
This appears to be a read-only Polymarket data connector that fetches public market information, with the main considerations being external API calls and normal npm dependency trust.
Before installing, be comfortable with npm-based setup and with sending Polymarket-related search terms to Polymarket's public APIs. The reviewed artifacts do not show wallet access, trading actions, credential use, persistence, or local data collection.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Market keywords, slugs, or condition IDs entered into the tool may be sent to Polymarket API endpoints.
The tools make outbound HTTP GET requests to Polymarket's public APIs to satisfy market search, pricing, and history requests. This is expected for the skill's purpose, but it means user-provided search terms or market identifiers leave the local environment.
const GAMMA_API = "https://gamma-api.polymarket.com"; const CLOB_API = "https://clob.polymarket.com"; ... fetch(url.toString(), { headers: BASE_HEADERS, signal: ctrl.signal });Use it for public market research and avoid putting private or sensitive information into search queries.
Installing or developing the skill may fetch packages from npm, so dependency provenance matters.
The Node setup relies on npm packages with semver ranges. This is normal for a TypeScript MCP server and a package-lock is present in the manifest, but installing still carries ordinary npm supply-chain trust considerations.
"dependencies": { "@modelcontextprotocol/sdk": "^1.12.0" }, "devDependencies": { "@types/node": "^20.0.0", "tsx": "^4.19.0", "typescript": "^5.4.0" }Install from a trusted copy, keep the lockfile, and pin or review dependencies if reproducible builds are important.