Polymarket Intelligence Skill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pkedge Version: 1.0.3 The pkedge skill is a Polymarket intelligence tool that requires high-risk permissions, including access to Telegram bot tokens via environment variables and the ability to perform automated web searches and external data transmission. The SKILL.md file instructs the agent to establish persistence using cron.js and launchd, and to perform frequent automated tasks that involve scraping wallet data and sending alerts to external Telegram channels. While these actions align with the stated purpose of a trading monitor, the absence of the actual implementation code (fetch.js, analyze.js, deliver.js) prevents verification that these capabilities and credentials are not being used for unauthorized data exfiltration or broader system access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be guided to run code or dependencies that were not included in the reviewed skill package.
The reviewed package does not include the JavaScript files or package metadata that SKILL.md describes, so the actual code and dependencies users would run are outside the reviewed artifacts.
No code files present — this is an instruction-only skill. ... 1 file(s): SKILL.md
Do not run the Node setup until the referenced source files, package.json, and lockfile are supplied, pinned, and reviewed.
Running these commands could execute unreviewed local code or dependency install scripts, especially if the user obtains files from an unknown source.
These are explicit local code-execution and package-installation instructions, but the runnable files are not present in the supplied artifacts.
1. `cd` into the skill folder and run `npm install` ... 3. Run `node cron.js` to start scheduled jobs, or configure launchd to run on boot
Only run these commands in a trusted, reviewed checkout with pinned dependencies; avoid configuring boot persistence until the behavior is verified.
The bot may continue posting alerts to configured Telegram channels until the scheduled runner is stopped.
The skill is designed for recurring autonomous monitoring and alerting. This is disclosed and purpose-aligned, but users should notice that it can keep operating on a schedule.
Every 30 min — Real-time consensus alert when 3+ whales enter the same market ... Every 30 min — Real-time insider alert when fresh wallet drops >$50K on one market
Confirm the schedule, channel targets, logging, and shutdown process before enabling the cron or launchd runner.
If these tokens are exposed or mishandled, someone could post through the Telegram bots or disrupt the configured channels.
Telegram credentials are expected for sending Telegram alerts, but they grant the configured bot the ability to post to the associated chats.
Create a `.env` file with your Telegram credentials: `PKEDGE_TELEGRAM_TOKEN_FREE` ... `PKEDGE_TELEGRAM_TOKEN_TRADER`
Use dedicated Telegram bots with limited channel access, keep tokens out of shared logs/files, and rotate them if there is any exposure.