Back to skill
Skillv1.0.0
ClawScan security
Polymarketodds 1.0.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 8:01 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it queries Polymarket's public Gamma API, stores only local JSON under ~/.polymarket, requires only python3, and does not request credentials or external access beyond the documented API.
- Guidance
- This skill appears coherent and implements the advertised functionality using Polymarket's public Gamma API and local JSON files. Before installing: 1) Confirm your environment has Python 3.10+ and the 'requests' package (pip install requests) or the script may fail. 2) Review the full script for any notification/webhook code or outbound POSTs (search for requests.post, subprocess, socket, or remote URLs) if you want to be extra cautious—SKILL.md claims it only performs GETs to the public API. 3) Be aware it will create ~/.polymarket and store watchlist/portfolio data there; if you run cron jobs, ensure the scheduled commands point to the intended script path. 4) Run the script as an unprivileged user (no sudo) and inspect its output in a controlled environment if you have high security requirements.
Review Dimensions
- Purpose & Capability
- okName/description match behavior: the code and SKILL.md implement market queries, trending/movers, watchlist/alerts, calendar, and a local paper-trading portfolio. Required binary (python3) and use of Polymarket's public API are appropriate for this purpose.
- Instruction Scope
- okSKILL.md instructs the agent/user to run the included Python script with various subcommands. The instructions operate by making HTTPS GET requests to gamma-api.polymarket.com and reading/writing local files in ~/.polymarket. There is no instruction to read unrelated system files or exfiltrate data.
- Install Mechanism
- noteNo install spec is provided (instruction-only), which is low-risk. The script header documents a dependency on the Python 'requests' package but SKILL.md/registry metadata do not provide an installation step; users should ensure 'requests' is available in the environment (pip install requests) before running.
- Credentials
- okNo environment variables, credentials, or external secrets are requested. All persistent data (watchlist.json, portfolio.json) is stored under ~/.polymarket as documented; this is proportional to the stated features.
- Persistence & Privilege
- okThe skill does not request always: true and disable-model-invocation is set to true (cannot be invoked autonomously). It only creates/uses its own data directory (~/.polymarket) and does not modify other skills or system-wide configs.