Polymarket Trade Agent
v1.0.1Trade on Polymarket by researching markets, analyzing event probabilities, managing USDC balance, and executing buy/sell orders with risk-controlled position...
⭐ 2· 407·4 current·4 all-time
byHan Wu@hanswuhan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and instructions match the stated purpose (research markets, check balance, place orders) and include expected dependencies (py-clob-client, web3, eth-account). However the registry metadata declares no required environment variables while SKILL.md and the code clearly require POLYMARKET_PRIVATE_KEY (and optionally POLYMARKET_FUNDER_ADDRESS), which is an inconsistency in the package metadata.
Instruction Scope
SKILL.md directs the user to export a raw private key from MetaMask and set POLYMARKET_PRIVATE_KEY in the environment — a highly sensitive operation. The CLI and trade.py use that key to derive API credentials and interact with Polymarket endpoints (clob.polymarket.com and data-api.polymarket.com), which is coherent with the purpose but risky. Additionally, SKILL.md labels POLYMARKET_FUNDER_ADDRESS as optional, yet trade.get_positions requires it and will raise an error; this mismatch can cause runtime failures.
Install Mechanism
No install script or remote downloads are present; the package is instruction-and-code only and lists dependencies in requirements/pyproject. No extract-from-URL or third-party installers were specified.
Credentials
Requesting the wallet private key is proportionate to an agent that must sign transactions, but it is a high-privilege secret and must be handled carefully. The code also reads POLYMARKET_SIGNATURE_TYPE (not documented in SKILL.md) and treats POLYMARKET_FUNDER_ADDRESS inconsistently. The metadata omission of required env vars increases risk because the platform-level manifest does not surface the sensitive requirement.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time hooks that persist beyond the usual package footprint. Autonomous invocation is allowed (platform default) but not combined with other privilege-escalating flags.
What to consider before installing
This package implements a real trading client but asks you to provide your Polygon (Ethereum-style) private key — which gives full control over any funds in that wallet. Before installing or running it:
- Only use a wallet/private key you control and which contains minimal funds for testing (preferably a throwaway or test account). Never use your main funds/private key.
- Verify the source: the registry metadata and SKILL.md disagree about required env vars. Confirm the publisher and review the py-clob-client dependency and its trustworthiness.
- Consider running the code in an isolated environment (VM or container) and inspect the code yourself; the files here are readable and show the network endpoints used (clob.polymarket.com and data-api.polymarket.com).
- Note the SKILL.md guidance to export the raw private key from MetaMask is inherently risky — follow wallet best practices (use hardware wallets or signing-only flows where possible). If you must use an env var key, keep it in a restricted environment and rotate it afterward.
- Test read-only commands (address, markets, balance) first. Be cautious with buy/sell: start with tiny trades and confirm behavior.
If you want higher assurance, ask the publisher for provenance (homepage, source repo, or signed release) and a clear manifest of required environment variables and optional settings. If you cannot verify the author, treat the skill as high risk and avoid supplying a primary private key.Like a lobster shell, security has layers — review code before you run it.
latestvk973e5xrrnsgt35mamyv3vgsjd824gms
License
MIT-0
Free to use, modify, and redistribute. No attribution required.