Polymarket Trader
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: polymarket-trader Version: 1.0.0 The skill bundle is designed to analyze and tune a Polymarket trading strategy using Binance data. All scripts (`binance_klines.py`, `binance_regime.py`, `explain_fills.py`) interact with the public Binance API to fetch market data and `explain_fills.py` reads a specific local log file (`events.jsonl`) from the agent's workspace. While `explain_fills.py` contains a hardcoded absolute default path for `events.jsonl`, this path points to a non-sensitive file within the expected operational scope of the skill, and it's a default argument that can be overridden. There is no evidence of data exfiltration, malicious execution, persistence, prompt injection against the agent, or obfuscation. The behavior is clearly aligned with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may recommend when to enter or exit Polymarket positions, which could influence financial decisions.
The skill gives concrete financial entry/exit decision rules. This is purpose-aligned and no order-placement code is present, but it could affect real-money trades if combined with separate trading tools.
Trade only when there is measurable edge ... Enter only if `edge = fair_prob - market_price` exceeds a threshold.
Use it as an analysis aid, and require explicit user confirmation before any real-money trade or account action.
Recent fill history and reasons may be exposed in the agent session when the script is run.
The helper reads local trading/fill logs and prints fields from them into the analysis context. This is disclosed and purpose-aligned, but those logs may contain private trading history or untrusted text fields.
Reads: workspace/polymarket_paperbot/state/events.jsonl ... Prints last N fills with: ts, token, side, px, reason, fair_up, z, against_trend.
Pass only the intended events.jsonl file, avoid logs containing secrets, and treat log contents as data rather than instructions.
The script may fail until the dependency is installed, and installing dependencies introduces normal package-source trust considerations.
This helper relies on an external Python package while the registry shows no install spec or declared requirements. This is an under-declared dependency, not evidence of malicious behavior.
from dateutil import parser as dateparser
Install any needed Python dependency from a trusted source and review the bundled script before running it.