Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
polymarket-sports-trade
v1.0.0Conversational PolySports trading and OpenClaw automation through structured `/skills/v1` endpoints. Use when user needs to look up PolySports markets, inspe...
⭐ 0· 65·0 current·0 all-time
byJerry@dreamcoin1998
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and supporting files consistently describe a PolySports trading & OpenClaw automation skill. However, the skill registry name/slug ('polymarket-sports-trade') and the package content refer to 'PolySports' rather than 'Polymarket', which is confusing and could mislead users. Overall the required capabilities (API calls, cron job templates, Telegram delivery) are coherent with a trading/automation skill.
Instruction Scope
The runtime instructions ask the agent to require a valid X-PolySports-Api-Key and, if missing, to ask the user to paste it directly into the conversation. The skill also contains templates and cron jobs that instruct automated, recurring monitoring and potential writes (orders) using that key and Telegram delivery targets. Asking users to send secrets in-chat and creating autonomous scheduled jobs that can place trades are both sensitive behaviors that broaden the skill's scope beyond passive read-only lookups.
Install Mechanism
This is an instruction-only skill with no install steps or third-party downloads. That minimizes code/install risk because nothing new is written to disk by the skill bundle itself.
Credentials
The SKILL.md repeatedly requires an X-PolySports-Api-Key and defines placeholders like __POLYSPORTS_API_KEY__, __TELEGRAM_CHAT_ID__, and __POSITION_SIZE_USDC__, but the registry metadata declares no required env vars or primary credential. That mismatch is an incoherence: a trading skill that executes writes should declare the expected credential handling and storage model. Also, instructing users to paste API keys into chat is a disproportionate and risky credential-handling pattern unless the platform provides secure secret injection.
Persistence & Privilege
always:false and user-invocable:true — so the skill is not force-included. However, the provided job template and monitor-launcher prompt are explicitly designed to create OpenClaw cron jobs that will run recurring monitoring and can place trades (if the API key and delegated authority are present). That enables persistent, autonomous activity contingent on user-provided keys/permissions; users should be aware and control delegation carefully.
What to consider before installing
Before installing or using this skill: 1) Do not paste API keys into chat unless you understand how the platform will store and protect them — prefer a secure secret mechanism (declared env var or secret vault). 2) Ask the publisher to correct the name/slug mismatch (Polymarket vs PolySports) to avoid confusion. 3) Request that the skill metadata explicitly declare required credentials (e.g., X-PolySports-Api-Key) and document how/where keys are stored and who can access them. 4) Review and approve any cron/monitor templates that will be created (assets/cron/jobs.template.json and monitor-launcher.prompt.md) and confirm the Telegram delivery target; remove or lock any automation that could place real trades until you have explicitly granted and audited persistent trading authority. 5) If you want to proceed, test in a staging environment or with a test API key and without granting discretionary trading authority, and verify the skill's behavior (preview flows, idempotency keys, order-checking) before allowing real money trades.Like a lobster shell, security has layers — review code before you run it.
latestvk9718jpe4wcx9meddhrc6grhk983dpdq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.