Polymarket Arbitrage
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Polymarket monitoring purpose, but it should be reviewed because it logs credential-bearing webhook URLs and runs shell commands built from configurable paths.
Before installing, treat this as a Polymarket monitoring and paper-trading helper, not an automated trading system. Run it in a virtual environment, avoid real webhook tokens until logging is fixed, use only trusted simple paths, and manually verify any market opportunity before risking funds.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If alerts are enabled, a bot token or chat identifier could appear in terminal output, logs, or captured agent transcripts.
The optional webhook URL can contain a Telegram or Discord token, and the code prints the full credential-bearing URL instead of redacting it.
if webhook_url:
print(f"[ALERT] Would send to webhook: {webhook_url}", file=sys.stderr)Do not pass real webhook URLs until tokens are redacted and the optional credential is declared; prefer environment variables or a secret store.
A crafted path containing shell metacharacters could cause unintended commands to run under the user's account.
The script constructs shell command strings using file paths derived from configurable data directories, then runs them with shell=True and no quoting.
fetch_cmd = f"python3 {script_dir}/fetch_markets.py --output {markets_file} --min-volume 50000"
...
subprocess.run(cmd, shell=True, ...)Use only simple trusted paths, or update the script to call subprocess.run with argument lists and shell=False.
Future package changes or a compromised dependency could affect the skill's behavior.
The user-directed setup installs unpinned PyPI packages, while the registry lists no install spec or dependency declaration.
pip install requests beautifulsoup4
Install in a virtual environment and pin known-good dependency versions before using it regularly.
It will continue making periodic Polymarket requests and updating local state until stopped.
The monitor is designed to run continuously and persist alert state, but this behavior is disclosed and user-stoppable.
while True:
...
time.sleep(interval)Start with --once, then run continuous monitoring only in a controlled terminal/session and stop it when no longer needed.
Users might overestimate the skill's ability to execute trades, manage P&L, or enforce risk controls.
The description suggests execution and automation, but the detailed instructions say automation is future work and current trading should be manual.
description: Monitor and execute arbitrage opportunities... automated trading strategies... Phase 4: Automation (Future)
Treat it as a monitoring/paper-trading tool only unless separate reviewed execution code is added.