Polymarket Opportunities Scanning
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill appears to perform the advertised Polymarket scan and report delivery, but it uses local command execution, Apple Mail, and optional scheduled automation that users should review before enabling.
Before installing, review the two scripts, configure only the intended email recipient, and enable the cron job only if you want automatic daily runs. The skill appears not to place trades or access Polymarket credentials; it scans public markets and sends reports, but you should manually verify any financial opportunity before acting.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the report script can execute local Node and osascript commands on the user's machine.
The script invokes a local shell command to run AppleScript for email delivery. This matches the documented macOS email mechanism, but users should understand that running the skill executes local commands.
execSync(`osascript -e '${escaped}'`, { timeout: 30000 });Run it only from a trusted directory, review the script before scheduling it, and avoid placing it in paths controlled by untrusted users.
The skill can send report or error emails from the user's default Apple Mail account to the configured recipient.
The script uses the local Apple Mail application to send the report from the user's configured mail account. This is disclosed and purpose-aligned, but it is still account-level sending authority.
tell application "Mail" ... make new outgoing message ... send newMessage
Set SMTP_TO carefully, confirm Apple Mail is the intended sending account, and do not enable the schedule unless automatic email sending is desired.
If configured, the scan and email report may run every day until the user disables the schedule.
The skill documents an optional recurring daily run. This is not hidden and fits the morning-report purpose, but it creates persistent automation if the user installs the schedule.
"schedule": { "kind": "cron", "expr": "0 8 * * *", "tz": "Europe/Stockholm" }Enable the cron job only if recurring reports are wanted, keep the script path fixed and trusted, and document how to disable the schedule.
Users may install the skill without realizing it depends on local Node.js and macOS Apple Mail/osascript for full functionality.
The registry metadata does not declare the runtime requirements even though the artifacts include runnable scripts and setup documentation requiring Node.js/macOS. This is an under-declared setup issue, not evidence of hidden malicious code.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill. Code file presence: 2 code file(s)
Declare Node.js and macOS/osascript requirements in metadata or install notes, and verify the scripts supplied are the ones being scheduled.
A user may expect Telegram reports or alerts that the provided code does not actually send.
The setup guide claims Telegram support and a TELEGRAM_CHAT_ID constant, but the provided send-report.js only implements email sending. This is a documentation/capability mismatch rather than malicious behavior.
The `send-report.js` script uses OpenClaw's `message` tool for Telegram. ... Update the `TELEGRAM_CHAT_ID` constant in `send-report.js`
Treat Telegram delivery as unimplemented unless the script is updated and reviewed; rely on the Apple Mail email path as the implemented delivery mechanism.