ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket-AutoTrade

v1.1.1

Polymarket prediction market CLI - Browse markets, check prices, execute trades, and manage portfolio.

0· 44·0 current·0 all-time
by@aplanckfish
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Polymarket CLI: browse, price, trade, portfolio) match the declared requirements: python3/pip, requests and py-clob-client, and wallet credentials (private key + proxy address). Requiring a private key and proxy address is expected for a trading client.
Instruction Scope
SKILL.md and skill.py keep scope focused on fetching market data and trading via Polymarket endpoints (gamma-api.polymarket.com, data-api.polymarket.com, clob.polymarket.com). The docs instruct storing credentials in ~/.openclaw or env vars and state signing is local. Note: recommending putting raw private key in openclaw.json is insecure by design; the skill will read env vars and config files as described.
Install Mechanism
Dependencies are standard Python packages (requests, py-clob-client) declared in pyproject/requirements.txt. No download-from-arbitrary-URL or extracted archives are present. This install spec is proportional to a Python CLI that interacts with Polymarket.
Credentials
Only two env vars are required: POLYMARKET_PRIVATE_KEY and POLYMARKET_PROXY_ADDRESS, and the primary credential is the private key — which is necessary for signing trades. That is proportionate to trading functionality but represents high-value secrets; the skill writes API credentials to ~/.openclaw/credentials/polymarket_api.json which is expected but sensitive.
Persistence & Privilege
Skill is not forced-always, is user-invocable, and stores credentials only under ~/.openclaw. It does not request system-wide configuration or other skills' credentials. Its persistence level is typical for a user-installed trading skill.
Assessment
This skill is internally consistent for a Polymarket trading CLI, but it requires your wallet private key — a high-value secret. Only install if you trust the code and the py-clob-client library. Before using: (1) Prefer setting credentials via environment variables rather than embedding raw keys in files; (2) Use a dedicated, funded-for-purpose wallet (as the docs recommend) — do NOT use your main wallet; (3) Ensure config files (~/.openclaw/credentials/*.json) have strict permissions (chmod 600); (4) Audit or review the trade-related code paths and the py-clob-client dependency to confirm signing happens locally and private key material is never transmitted in plain text; (5) Consider running the skill in an isolated environment or sandbox and monitor network calls to clob.polymarket.com and related Polymarket endpoints before trusting it with funds. If you want a higher-assurance recommendation, provide the full trade-related functions from skill.py and confirm which py-clob-client version will be installed so they can be audited.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c1s1rgvyfycaf8bgbhc50fh845zbr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
OSLinux · macOS
Binspython3, pip
EnvPOLYMARKET_PRIVATE_KEY, POLYMARKET_PROXY_ADDRESS
Primary envPOLYMARKET_PRIVATE_KEY

Install

uvuv tool install requests
uvuv tool install py-clob-client

Comments