Polymarket Oracle
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is a real-money Polymarket trading bot that can run continuously and store powerful financial credentials, so it needs careful review before use.
Install only if you intentionally want an automated real-money trading bot. Start in simulation mode, inspect the full code, use a separate low-balance wallet, do not store your wallet private key in shell/systemd files, set strict capital limits, and disable the systemd service when not actively monitoring it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad signal, bug, or misconfiguration could place real Polymarket orders and lose funds without the user approving each trade.
The documentation confirms that once API credentials are set, the skill can mutate a real financial account by placing trades; the artifacts do not clearly show a per-trade approval gate.
Live mode: - ✅ Can place real orders - ✅ Executes trades - ⚠️ Uses real money!
Run in simulation first, inspect the trading logic, set strict capital limits, and require explicit human confirmation before any live order placement.
A wallet private key can control all funds in the wallet; storing it persistently greatly increases the impact of any local compromise or accidental disclosure.
The setup guide instructs users to persist a wallet private key in shell startup configuration, despite other parts of the same guide saying the private key is only needed once and should not be stored long-term.
cat >> ~/.bashrc << 'EOF' ... export WALLET_PRIVATE_KEY="..."
Do not store WALLET_PRIVATE_KEY in ~/.bashrc, systemd, or project files. Generate API credentials locally once, then remove the private key and use a low-balance dedicated wallet/API key.
The bot may continue scanning and trading after logout, reboot, or crash recovery, which can surprise users if they forget it is enabled.
The documented systemd setup is disclosed, but it creates a long-running autonomous service for a financial trading bot.
Auto-starts when server boots ... Auto-restarts if scanner crashes ... Runs in background (no SSH needed)
Only enable systemd after live-trading safeguards are in place; document how to stop/disable the service and monitor it continuously.
Users may deploy more capital or enable automation based on overly confident claims, even though prediction-market trades can fail due to liquidity, timing, fees, cancellations, or bugs.
The skill makes strong guaranteed-profit and zero-risk claims in a real-money trading context, which can cause users to over-trust automated execution.
Risk: ZERO (guaranteed profit) ... Win rate: 100% (if executed)
Treat all performance claims skeptically, use small test amounts, and require clear risk disclosures and live performance evidence before trusting the bot.
This is a normal Polymarket setup path, but an unexpected or compromised dependency version could expose sensitive wallet material during setup.
The user-directed credential-generation step installs an external package without a pinned version and uses it with wallet private-key material.
pip install py-clob-client ... key="YOUR_WALLET_PRIVATE_KEY" ... creds = client.create_api_key()
Install from a trusted environment, verify the package/source, pin versions where possible, and remove private-key material immediately after generating API keys.