Polymarket Politics Random 1U
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill matches its stated Polymarket trading purpose, but it can run on a schedule and repeatedly make random live trades if live mode is enabled.
Install only if you understand it is a trading template. Run it in dry-run mode first, do not set RUN_LIVE unless you want automated live trading, disable the 30-minute automaton for live use, cap trade size and total spend, and use limited credentials or a low-balance wallet.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If live mode is enabled, the skill can spend funds and open Polymarket positions the user may not have reviewed individually.
Live trading can be enabled by an environment variable, the selected market is random, and the trade amount is configurable with no cap or per-trade confirmation in the script.
live = args.live or env_flag("RUN_LIVE") ... market = choose_market(candidates) ... amount = float(os.getenv("TRADE_AMOUNT_USD", "1")) ... result = client.trade(Keep dry-run mode by default, remove or tightly control RUN_LIVE, add explicit human approval before each trade, and enforce daily/total spend limits.
A one-time live trading setting could result in repeated automated random trades over time.
The skill is configured for recurring managed background execution every 30 minutes, which is high impact for a script capable of live financial trades.
"cron": "*/30 * * * *", "automaton": { "managed": true, "entrypoint": "politics_random_1u.py" }Disable the cron/automaton for live trading, or require a fresh user approval and a hard stop condition for every scheduled run.
Compromise or misuse of these secrets could allow unauthorized trading or wallet access.
These credentials are expected for the stated trading integration, but an API key and especially a wallet private key grant sensitive account or wallet authority.
"AION_API_KEY" ... "used for market reads and trade execution" ... "WALLET_PRIVATE_KEY" ... "Optional private key for external-wallet self-custody live trading on Polymarket."
Use a limited-purpose API key and a wallet with only the funds you are willing to risk; avoid providing a private key unless absolutely necessary.
A dependency update or package-resolution issue could change the behavior of a trading skill.
The required SDK dependency is not version-pinned. This is common for templates but leaves the installed code dependent on whatever package version is resolved later.
"requires": { "pip": ["aion-sdk"], "env": ["AION_API_KEY"] }Pin a reviewed aion-sdk version and install from a trusted package source before enabling live trading.