Nash0 Polymarket CLI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Polymarket CLI helper, but it can perform real trading or account actions if the user confirms them.
This skill appears safe for read-only Polymarket research and account checks. Treat any trade, cancellation, approval, bridge, API-key, or notification change as a real account action: confirm only after checking all details, and never share or expose your private key.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user confirms one of these commands, the agent could place trades, cancel orders, approve contracts, or move assets through the Polymarket CLI.
The skill exposes commands that can change financial or on-chain state, but it explicitly requires user confirmation before those actions.
Ask before running any command that can: - place, modify, or cancel orders - approve contracts - split, merge, redeem, or bridge assets
Only confirm actions after verifying the exact market/token, side, price, size, and expected impact; keep use read-only unless you intend to trade.
A configured wallet could authorize account reads or confirmed trades through the CLI.
Authenticated and trading commands may rely on local wallet/private-key configuration, even though the skill tells the agent not to read private-key files directly.
The CLI checks private key sources in this order: 1. `--private-key` 2. `POLYMARKET_PRIVATE_KEY` 3. `~/.config/polymarket/config.json`
Use a wallet you are comfortable connecting, do not paste private keys into chat, and verify which local Polymarket account the CLI is using before approving actions.
Installing or updating the external CLI determines what code runs locally when the agent uses `polymarket`.
The skill depends on an external CLI installed from Homebrew/GitHub; this is expected for the purpose and is not auto-executed by the skill, but the user must trust the upstream package.
brew tap Polymarket/polymarket-cli https://github.com/Polymarket/polymarket-cli brew install polymarket
Install the Polymarket CLI only from a trusted upstream source and review its permissions before using it with a funded wallet.