Polymarket Whale Copier
WarnAudited by ClawScan on May 10, 2026.
Overview
This financial trading skill asks for a Polymarket private key and can run continuously in the background, while its metadata and documentation understate or contradict important risks.
Do not install this for live trading or enter a main wallet private key. If you experiment, keep dry_run enabled, use a new low-balance wallet, review the scripts yourself, and verify that the tool actually implements safe Polymarket signing and trading before trusting it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is mishandled or used by unsafe code, the user could lose control over funds or signed trading actions.
The skill asks the user to provide a wallet private key, which is high-impact account authority for trading/funds access. This is not reflected in the registry's declared credentials or environment variables.
export POLYMARKET_KEY="0xYourPrivateKey" ... Private key (for signing trades)
Do not provide a main wallet private key. Use dry-run only, or a fresh low-balance wallet, and require the skill metadata and code to clearly declare and scope private-key handling before any live use.
A user may trust the skill's trading and redemption claims, provide sensitive credentials, or configure live trading even though the supplied implementation does not do what it advertises.
The implementation explicitly says live trading is not implemented, contradicting the SKILL.md claims that it automatically copies trades and places matching orders.
# Real execution would go here # Requires CLOB API integration self._log(f"⚠️ Live trading not implemented - use Polymarket CLOB API")
Treat the advertised automation as unverified. Do not provide a private key until the implementation, documentation, and metadata consistently describe what actions are actually performed.
The raw private key is not shown being sent, but the script creates and uses a deterministic key-derived identifier in provider requests, which is unexpected and functionally incorrect for wallet handling.
The code derives a pseudo-wallet address from the private key rather than using a proper Ethereum wallet derivation, and that derived value is later used in external balance/position API calls.
return "0x" + hashlib.sha256(self.private_key.encode()).hexdigest()[:40]
Remove the private-key hash derivation, use a standard audited Ethereum library locally, and clearly disclose any external API calls involving wallet identifiers.
The monitor can continue polling and logging until stopped, which could surprise users if they forget it is running.
The skill can start a background process that keeps running independently, which is expected for a copier/monitor but important for users to notice.
screen -dmS whale-copier python3 "$SCRIPT_DIR/copy_trader.py" "$@"
Run it only intentionally, monitor the screen/logs, and use scripts/stop.sh when finished.
Users have less external context for verifying the author, update source, or intended dependencies.
The skill has limited provenance and no install specification, which matters more because it asks for a financial private key.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Review the included scripts before use and prefer a version with clear source provenance, dependency declarations, and credential requirements.