Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
polymarket-minimal-buy-python
v1.0.0Minimal Python client for authenticated Polymarket trading with private key from private.env, supporting market/limit buy/sell, order queries, and cancellati...
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description and the code match: the script implements authenticated Polymarket trading (market/limit buy/sell, order queries, cancellations) against clob.polymarket.com on chain 137. However, the registry metadata claims no required env vars or primary credential while both SKILL.md and the code require POLYMARKET_PRIVATE_KEY — this mismatch is important because it hides the need to supply a wallet private key.
Instruction Scope
SKILL.md and the script instruct the user to create a private.env and paste in a MetaMask/decentralized-wallet private key. The code reads that file and environment variables and will use the key to derive API creds and sign orders. While this is necessary for the stated trading functionality, it directs collection and local storage of a highly sensitive secret in plaintext and prompts the user to manually enter their private key — a risky practice that should be avoided or clearly warned about.
Install Mechanism
There is no platform install spec (instruction-only), so nothing is automatically downloaded by the skill bundle. SKILL.md tells the user to run 'pip install py-clob-client eth-account' — installing unpinned packages from PyPI is a moderate-risk operation (install-time code runs on the host). The skill does not pin versions or verify package provenance; the user should vet those packages before installing.
Credentials
The code requires a sensitive env var POLYMARKET_PRIVATE_KEY and optionally reads other POLYMARKET_* env vars (host, chain id, signature type, funder). The registry metadata does not declare required env vars/primary credential, so the required secret is not surfaced in the skill metadata. Requesting a wallet private key is expected for a signing client, but the omission from metadata and the instruction to store the key in a plaintext file is disproportionate without strong guidance or safer alternatives.
Persistence & Privilege
The skill is not marked 'always: true', does not request persistence, and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other unusual privileges.
What to consider before installing
This skill implements what it claims (a minimal Polymarket trading client) but requires you to provide a private wallet key. Do NOT paste your primary MetaMask or hot-wallet private key into a plaintext file. Consider these precautions before using the skill: 1) Prefer using a dedicated wallet with minimal funds for automated trading or a signing service/hardware wallet rather than dropping a private key into private.env. 2) Inspect and verify the py-clob-client and eth-account packages (source, version, checksums) before pip installing; consider pinning versions. 3) Be aware the registry metadata does not declare the required POLYMARKET_PRIVATE_KEY — treat that as a red flag and confirm expectations with the publisher. 4) Run this in an isolated environment (VM or container) and avoid storing production keys in plaintext. 5) If you cannot supply a private key safely, seek an integration that uses an external wallet connector or server-side signing so secrets are not placed into local files.Like a lobster shell, security has layers — review code before you run it.
latestvk971mywj9n8sq6vqkmbj11e9zs83g0j6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.