Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Polymarket Trading Bot
v1.0.0Autonomous prediction market agent - analyzes markets, researches news, and identifies trading opportunities
⭐ 0· 342·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation. The skill requires python/pip and a POLYMARKET_KEY (wallet/private key), uses Polymarket endpoints via py-clob-client, and provides CLI commands to list markets, check balance, and place orders — all expected for a trading bot.
Instruction Scope
SKILL.md and the code instruct the agent to perform web searches, fetch articles, use Clawdbot memory, schedule cron jobs, and call the local `poly` CLI which runs the included scripts. The configure flow explicitly asks for the user's private key and stores it in Clawdbot config; this is functionally required for placing trades but is high-risk and should be understood by the user. The instructions also encourage autonomous operation (scheduling/cron), which expands the runtime scope.
Install Mechanism
No remote or opaque installers are fetched. The included install.sh creates a local venv and runs pip install -r requirements.txt and pip install -e ., which is standard. All dependencies are installed from PyPI (no arbitrary download URLs or extract steps).
Credentials
Only POLYMARKET_KEY is declared as required, which is appropriate for wallet-authenticated trading. The configure wizard collects a wallet private key (sensitive) and attempts to store it in Clawdbot's global config under skills.entries.polymarket-agent.env.POLYMARKET_KEY — this is proportionate to the skill's purpose but represents a significant secret management decision the user must accept.
Persistence & Privilege
The skill does not request 'always: true' or system-wide privileges. It writes its own configuration entry (Clawdbot config path under its skill entry) to persist the POLYMARKET_KEY; that is expected but means secrets will be stored in Clawdbot's config store if configure succeeds. The skill supports enabling autonomous trading, which increases operational risk if misconfigured.
Assessment
This package appears to do what it claims, but it requires a wallet private key and can execute real trades — treat it as high-risk. Before installing or entering secrets:
- Review the included code (configure.py, trade.py) yourself or with someone you trust. configure.py stores the private key in Clawdbot config; confirm you are comfortable with that storage location.
- Prefer using a dedicated trading wallet with limited funds or a restricted API/subkey rather than your main wallet.
- Inspect the py-clob-client library (and its create_or_derive_api_creds behavior) to understand what is sent to https://clob.polymarket.com and whether it exposes your private key remotely.
- Test in a sandbox or with a read-only setup first (do not enable autonomous mode until you are confident).
- Keep your environment variable (POLYMARKET_KEY) secured; if you prefer not to persist the key in Clawdbot config, set POLYMARKET_KEY only in the environment at runtime.
- Verify dependencies are installed from official PyPI and consider auditing them (py-clob-client, web3, questionary, etc.).
If you want, I can list exact lines where the skill stores secrets and where it initiates network calls to help a focused code audit.Like a lobster shell, security has layers — review code before you run it.
latestvk979pmq48qepvasr967ka6ajbh82ax1q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎰 Clawdis
OSmacOS · Linux · Windows
Binspython, pip
EnvPOLYMARKET_KEY
Primary envPOLYMARKET_KEY