Polymarket Real Time Trades Stream
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it claims—stream public Polymarket trade data—but users should protect the Bitquery API key because it is placed in the WebSocket URL.
This skill is reasonable to install if you want a live Polymarket trade stream and are comfortable supplying a Bitquery API key. Run it in a controlled environment, avoid logging WebSocket URLs, consider using --timeout for bounded runs, and rotate the API key if you suspect the URL was exposed.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the full WebSocket URL is captured in logs, debugger output, proxy history, shell history, or monitoring tools, another party could use the Bitquery token and consume quota or access the token's API privileges.
The script reads the user's Bitquery API token from the environment and places it in the WebSocket URL for authentication.
api_key = get_api_key(); url = f"{BITQUERY_WS_BASE}?{urlencode({'token': api_key})}"Use a limited Bitquery token if available, set it only as an environment variable, avoid logging full WebSocket URLs, run in a controlled environment, and rotate the token if exposure is suspected.
Users have less external context for verifying the publisher or future updates to a credential-using skill.
The registry metadata does not provide a source repository or homepage, which limits provenance verification even though the included code is readable and matches the stated purpose.
Source: unknown; Homepage: none
Review the included script before running, verify the publisher if possible, and install dependencies in an isolated environment.