Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
polymarket-predictradar-market-discovery-skills
v1.0.0Polymarket hot market rankings & new market discovery. View trending markets by 24h volume/traders, discover newly listed high-momentum markets, browse activ...
⭐ 0· 31·0 current·0 all-time
byYeri@cnica
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims 'market discovery' which could legitimately use Polymarket data, but its runtime instructions require a local shared data-layer (mcp-client, gamma-client, smartmoney) and Node execution. The skill metadata declares no required binaries, env vars, or code files — a clear mismatch: someone implementing this skill would need the polymarket-data-layer and Node, which are not declared or provided.
Instruction Scope
SKILL.md tells the agent to cd to a project path and run inline node -e scripts that require local modules (../../polymarket-data-layer/...). Those instructions reference running SQL queries (trades, positions) via mcp-client and calling gamma-client — i.e., access to local code, DB clients, and potentially credentials. The skill does not declare or restrict these actions, nor does it provide the referenced code. Instructing the agent to execute arbitrary Node code in a local path is a scope creep and execution risk.
Install Mechanism
There is no install spec (instruction-only), yet the SKILL.md assumes Node is available and a local repository layout exists. That combination is risky: the agent will attempt to execute commands that likely fail or, if present, will run local code of unknown provenance. An install spec or clear dependency list (Node version, npm packages, or a packaged data-layer) is missing and should be required.
Credentials
The skill declares no required environment variables or primary credential, but the documented MCP client requires a session handshake and Gamma likely needs service access; those typically use credentials or tokens. Omitting these declarations is disproportionate: the agent may rely on implicitly available credentials or fail unexpectedly. The skill also references local cache files (smart-money) without specifying paths or permissions.
Persistence & Privilege
The skill does not request always:true, system-wide changes, or other skills' config. Default autonomous invocation is allowed but not by itself a concern here. The primary issue is the mismatch between declared footprint and the actions the instructions request, not persistent privileges.
Scan Findings in Context
[scanner:no-findings] unexpected: The regex scanner found no code (this is an instruction-only package). However, SKILL.md references local JS modules and inline node execution — the absence of code files is itself an incoherence given those instructions.
What to consider before installing
This skill's instructions expect you to have a local 'polymarket-data-layer' repository and Node available and will run inline Node scripts that require local modules, but the skill package provides none of that or any declared credentials. Do not install or run this skill unless: (1) you control and trust the environment where it will run, (2) you have the referenced polymarket-data-layer code installed in the expected path, and (3) the author provides an install spec and a clear list of required environment variables/tokens. Ask the publisher to add: a) an install section (how to obtain and verify the data-layer and Node deps), b) explicit required env vars (and justification), c) no hard-coded paths, and d) a source/homepage or repo so you can review the referenced client code before executing. If you cannot verify those, run it only in an isolated environment (container/VM) or decline.Like a lobster shell, security has layers — review code before you run it.
latestvk97ct030v69jp70gjnqw1a4rjx84217v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.