Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
mypolytrade
v1.0.0Autonomous AI Polymarket trader with self-adaptive strategies. Auto-analyzes markets using OpenNews API and web search, adapts strategy based on conditions,...
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description is an autonomous Polymarket trader but the registry claims no required env vars or credentials. The SKILL.md, however, embeds an OPENNEWS token and describes Telegram reporting (which would require a bot token). Paper-trading may not need wallet keys, but the presence of external-service tokens and reporting channels is not reflected in the declared requirements.
Instruction Scope
Runtime instructions direct the agent to: run market-listing commands (list_markets), perform arbitrary web searches, call an external OpenNews API, and autonomously 'execute' trades. The autonomy directive ('Don't ask for permission — execute') gives the agent broad discretion. The SKILL.md contains full curl examples and a hard-coded Bearer token for ai.6551.io, and references Telegram reporting without specifying how the Telegram bot is authenticated.
Install Mechanism
The install uses a 'uv' package (polymarket-paper-trader) that creates binaries (pm-trader, pm-trader-mcp). Installing a package that places executables on PATH is a moderate risk compared with instruction-only skills. The package source is not a well-known release host in the metadata shown—verify the package publisher and review the package contents before installing.
Credentials
Registry metadata lists no required environment variables, yet SKILL.md includes a hard-coded OPENNEWS_TOKEN (JWT) and calls an external API. It also claims Telegram reporting but does not declare a TELEGRAM_BOT_TOKEN or similar. This mismatch (undeclared credential usage and embedded token) is disproportionate and unusual.
Persistence & Privilege
always is false and there are no config paths or persistent privileges requested. Autonomous invocation is enabled by default (normal), but combined with the earlier concerns about undeclared credentials and execution/install of binaries, the agent's autonomy raises the potential blast radius.
Scan Findings in Context
[hardcoded-opennews-token-in-SKILL.md] unexpected: SKILL.md contains a hard-coded OPENNEWS_TOKEN (Bearer JWT) and example curl calls to https://ai.6551.io. The registry declares no required env vars—embedding a token in documentation/runtime instructions is unexpected and a data-exfiltration / credential-leak risk.
[no-regex-findings] expected: Static regex scanner reported no findings (no code files to analyze). However, manual review of SKILL.md revealed the embedded token and external endpoints – absence of code does not mean absence of risk.
What to consider before installing
Do not install or enable this skill without mitigation. Ask the publisher for: (1) the package source and a link to the exact release or repository branch for the 'uv' package and the pm-trader binaries so you can inspect them; (2) why an OPENNEWS_TOKEN is embedded in SKILL.md and whether you should replace it with your own credential stored in an env var; (3) how Telegram reporting is authenticated (where the bot token comes from). If you proceed, run the package in an isolated sandbox or VM, review the installed binaries' code before executing, remove or rotate any embedded credentials, and avoid giving any wallet/private keys or unrelated API tokens. If you cannot verify the package source or code, treat it as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97cg27gpcbc5s82qhsfth5bfx83ae6h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎯 Clawdis
Binspm-trader-mcp, python3
Install
uv
Bins: pm-trader, pm-trader-mcp
uv tool install polymarket-paper-trader