ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Bot Skill

Automate Polymarket bot operations including fetching market data, placing trades, and implementing strategies like arbitrage. Use when users need to build o...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 394 · 1 current installs · 1 all-time installs
by@deliverydriver
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description align with the included scripts (market fetch, auth, strategy, integration, copy-trading). Functionality requested (fetch markets, place trades, arbitrage, copy trading) is coherent with the code — however the registry metadata claims no required env vars/credentials while the code clearly requires a private key and produces API credentials, which is an important inconsistency.
!
Instruction Scope
SKILL.md and references instruct running scripts that handle private keys, derive API keys, and post signed messages to remote endpoints. The instructions implicitly permit long-running, autonomous trading (infinite loops, copying trades). The skill's runtime instructions and included code direct reading of environment variables (POLY_PRIVATE_KEY) and sending signatures/requests to external Polymarket endpoints — behaviors within the domain but sensitive and not declared in metadata.
Install Mechanism
There is no install spec (instruction-only install), which reduces installation risk. However, the code depends on third-party Python packages (web3, requests, dotenv, asyncio, possibly pandas) that are not declared; installing/running them will be required by the user and could pull external packages.
!
Credentials
The skill metadata lists no required env vars, yet scripts expect a POLY_PRIVATE_KEY and produce/handle API keys/secrets. Requesting a raw private key (and deriving/POSTing signatures) is high sensitivity — the skill should clearly declare this as a required credential and explain secure handling. The number and sensitivity of credentials used (private key → API creds) is proportionate to trading functionality but is not reflected in the registry metadata.
Persistence & Privilege
The skill is not marked always:true, does not request system-wide config changes, and does not attempt to modify other skills or agent config. It runs as scripts and will only persist data if the user runs them locally — no elevated platform privilege is requested.
What to consider before installing
Key points before installing or running this skill: - Metadata mismatch: The registry metadata claims no required environment variables, but the code expects a POLY_PRIVATE_KEY and derives API credentials. Treat that as a red flag: ask the publisher to update the metadata to list required secrets. - Sensitive operations: The code will sign messages with your private key and POST them to Polymarket endpoints to derive API credentials. Only provide private keys if you fully trust the code and publisher — prefer hardware wallets, ephemeral keys, or limited-scope keys where possible. - Test mode first: Run with dry_run=True and on a testnet or with a throwaway account to validate behavior. Do not run with dry_run=False on a funded account until you fully audit the code. - Audit network behavior: The scripts make HTTP requests to polymarket domains (gamma-api.polymarket.com, clob.polymarket.com, data-api.polymarket.com) — verify those endpoints and ensure TLS is used. Inspect any unexpected outbound hosts before using. - Code quality issues to fix before trusting: auth uses signTypedData (ensure correct EIP-712 usage), authenticate_with_clob posts a signed_message (review what is sent), and some code passes api_creds into requests.get via auth=self.api_creds (this may not be correct and could leak data). Have a developer review these details. - Dependency management: The skill relies on web3.py, requests, dotenv, asyncio, etc. Install these from official sources and run in an isolated virtual environment or container. - Operational risk: The bot can automatically place trades (including copy-trading). This exposes you to financial loss, MEV, front-running, slippage, and rate-limit issues. Use rate limiting, position limits, and monitoring as suggested in references. - If you cannot audit the code, avoid providing real private keys. Ask the publisher for clearer metadata, dependency lists, and a security/privacy statement. Consider running the skill in a sandbox or with a read-only API credential (if available).

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk976w2vpk5a1cjhkpfe0qa5y6d81kwy1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Polymarket Bot Skill

Overview

This skill enables the creation and operation of a Polymarket bot for tasks such as fetching active markets, monitoring prices, placing orders, and running strategies. It's designed for users involved in cryptocurrency prediction markets, helping automate interactions via the Polymarket APIs while minimizing risks.

Quick Start

To get started, use the scripts in this skill to initialize and run a basic bot. For example, execute scripts/fetch_markets.py to retrieve active markets, then use scripts/bot_strategy.py for arbitrage checks.

Task-Based Structure

This skill is organized by tasks from the SOP, providing modular components for bot development.

Step 1: Research and Setup Prerequisites

  • Review Polymarket APIs (Gamma, CLOB, Data) as outlined in the SOP.
  • Ensure tools like Python and Web3.py are installed.
  • Reference references/api_guide.md for detailed API usage.

Step 2: Define Bot Functionality and Strategy

  • Implement core features like data fetching and trade execution.
  • Use prompts in references/prompts.md to generate code for strategies.
  • Example: Run scripts/strategy_logic.py for arbitrage detection.

Step 3: Development Phases

  • Data Fetching Module: Use scripts/fetch_markets.py to query markets.
  • Authentication and Trading Setup: Handle in scripts/auth_setup.py.
  • Testing and Deployment: Test with scripts/test_bot.py and deploy via references.

Step 4: Potential Challenges and Mitigations

  • Reference references/challenges.md for rate limits, fees, and security tips.

Step 5: Resources

  • See below for scripts and references based on the SOP.

Resources

scripts/

  • fetch_markets.py: Script to fetch and parse market data from Polymarket APIs.
  • auth_setup.py: Handles authentication and deriving API keys.
  • strategy_logic.py: Implements bot strategies like arbitrage.
  • bot_integration.py: Combines phases into a full bot script.

references/

  • api_guide.md: Documentation on Polymarket APIs and setup.
  • strategy_examples.md: Examples of prompts for code generation.
  • challenges.md: Common issues and mitigations for bot development.

assets/

  • (No assets needed for this skill at the moment.)

Files

10 total
Select a file
Select a file to preview.

Comments

Loading comments…