Polymarket Bot Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is for automated Polymarket trading and uses wallet credentials with live, looping bot examples, so it should be reviewed carefully before use.
Only use this skill if you are comfortable reviewing and controlling a crypto trading bot. Start in dry-run mode, use a limited test account, never print or share private keys or API secrets, and add hard trading limits and manual confirmations before enabling live orders.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may grant trading or wallet-derived authority without a clear credential contract, and derived API credentials could be exposed in terminal logs.
The skill handles a wallet private key and prints derived trading API credentials, while the registry metadata declares no required environment variables or primary credential.
private_key = os.getenv('POLY_PRIVATE_KEY') ... creds = authenticate_with_clob(private_key) ... print("API creds derived:", creds)Declare the credential requirement explicitly, avoid printing secrets, prefer least-privilege trading credentials over raw wallet private keys where possible, and require clear user confirmation before using them.
If the trading methods are completed or connected to real order APIs as intended, running the example could execute live trades and risk funds.
The integration example initializes the bot in live mode by default and starts polling markets, which is high-impact financial automation without an explicit approval checkpoint.
bot = PolymarketArbitrageBot(api_creds, dry_run=False) # Set dry_run=True for testing ... asyncio.run(bot.poll_market(market_id))
Default to dry-run mode, require per-session and per-order approval for live trading, and document strict position, loss, and market limits.
Bad, duplicated, or manipulated external trading data could cause repeated unwanted trades or amplified losses.
The copy-trading loop repeatedly mirrors external trader activity every 30 seconds without visible deduplication, per-trader caps, approval, or containment beyond a proportional amount.
while True: ... for trade in trades: ... if not self.dry_run: amount = trade['amount'] * 0.10; self.place_order(trade['market_id'], trade['side'], amount) ... await asyncio.sleep(30)
Add deduplication, explicit trader allowlists, max daily loss, max order size, dry-run defaults, and manual approval before enabling copy trading.
Users may install dependencies manually from unclear versions, which can increase setup mistakes or dependency risk for a financial bot.
The included scripts import third-party packages such as web3, requests, and dotenv, but no pinned dependency or installation guidance is provided.
No install spec — this is an instruction-only skill.
Provide a pinned requirements file or clear install spec, and reconcile referenced script names with the actual files.