ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Arbitrage Cn

v1.0.0

Polymarket 套利 | Polymarket Arbitrage. 预测市场套利机会 | Prediction market arbitrage opportunities. 自动发现价格差异 | Auto discover price differences. 触发词:Polymarket、预测市场、套...

0· 557·0 current·0 all-time
byGuohongbin@guohongbin-git
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and included scripts all focus on finding arbitrage on Polymarket by scraping the site, detecting math arbs, and monitoring — the requested files, data storage, and optional webhook are coherent with that purpose. No unrelated environment variables, binaries, or external services are required.
Instruction Scope
SKILL.md instructs running the included Python scripts and storing results locally, which is appropriate. The monitor script prints alerts and can accept a webhook URL but does not itself post to external services (it only prints a 'Would send' message). One implementation detail: monitor.py constructs shell command strings and runs them with subprocess.run(shell=True), embedding user-controlled arguments (like --data-dir if provided). That can be a source of command injection if a user supplies maliciously crafted arguments when invoking the monitor. Functionally this does not contradict the skill purpose, but it's an implementation risk to be aware of.
Install Mechanism
No automatic install spec; SKILL.md advises installing Python dependencies with pip (requests, beautifulsoup4). No downloads from arbitrary URLs or archive extraction. This is low-risk and proportionate to the skill.
Credentials
The skill requests no environment variables, no credentials, and stores data locally under ./polymarket_data by default. References to wallet/private-key management are only in documentation for a future automation phase and are not required by the supplied scripts.
Persistence & Privilege
always is false, the skill is user-invocable only, and it does not attempt to modify other skills or system-wide settings. It persists its own monitoring state in a local data directory (polymarket_data), which is expected behavior.
Assessment
This skill appears to do what it claims: scrape Polymarket homepages, detect simple arbitrage opportunities, and save/alert locally. Before running it: (1) Start in paper-trade mode as recommended and inspect the output files in ./polymarket_data. (2) Run inside a Python virtualenv and review the scripts yourself. (3) Be cautious when running monitor.py with non-default arguments: monitor.py builds shell command strings and calls subprocess.run(shell=True) using paths that can include user-supplied values (e.g., --data-dir). Avoid passing untrusted inputs containing shell metacharacters; if you want to be extra safe, run the single-run mode (--once) or modify run_command to use a list of args (shell=False). (4) Understand scraping limitations: homepage percentages may be midpoints and not executable orderbook prices — the skill itself documents this risk. (5) Do not plug in wallet private keys or automation until you have thoroughly validated results with manual trades; the code does not manage private keys, and automating execution introduces substantial additional risk.

Like a lobster shell, security has layers — review code before you run it.

arbitragevk971ex3y2scwbdnsw0q7v6erq581hcfglatestvk971ex3y2scwbdnsw0q7v6erq581hcfgpolymarketvk971ex3y2scwbdnsw0q7v6erq581hcfgtradingvk971ex3y2scwbdnsw0q7v6erq581hcfg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis

Comments