Polymarket Weather Scanner

PassAudited by ClawScan on May 1, 2026.

Overview

This is a coherent weather-market scanning skill, with the main caution that it sends scan requests and any scanner API key to a disclosed external service.

This skill appears safe to use for user-requested weather-market scans, but only install it if you trust the polymarket-scanner.fly.dev service. Avoid setting POLYMARKET_SCANNER_HOST unless you trust the alternate host, use a dedicated scanner API key if you enable full access, and do not provide wallet private keys or trading credentials.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Scan requests leave the local machine, and if POLYMARKET_SCANNER_HOST is set to another host, requests would go there instead.

Why it was flagged

The script uses curl to contact a remote API and allows the destination host to be overridden by an environment variable. This is consistent with the scanner purpose, but it is a trust boundary users should notice.

Skill content

HOST="${POLYMARKET_SCANNER_HOST:-https://polymarket-scanner.fly.dev}" ... curl ... "${HOST}/scan/weather?days_ahead=${DAYS}"

Recommendation

Use the default host unless you intentionally trust an alternate scanner service, and verify POLYMARKET_SCANNER_HOST is not set unexpectedly.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone controlling the destination service could receive the scanner API key and potentially use the associated scanner tier or quota.

Why it was flagged

The optional scanner API key is sent as an HTTP header to the scanner API. This is declared and purpose-aligned, but it is still a credential for the service.

Skill content

API_KEY="${POLYMARKET_SCANNER_API_KEY:-}" ... ${API_KEY:+-H "X-API-Key: ${API_KEY}"}

Recommendation

Use only a dedicated scanner API key, do not provide wallet or trading credentials, and rotate the key if you suspect it was exposed.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

You have limited independent information about who operates the backend service beyond the disclosed API URL.

Why it was flagged

The skill has no listed source repository or homepage, while its functionality depends on a hosted backend. This is a provenance note rather than evidence of malicious behavior.

Skill content

Source: unknown; Homepage: none

Recommendation

Install only if you are comfortable trusting the hosted scanner service, especially before setting a paid-tier API key.