Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Polymarket News Events
v2.0.3Monitors 20+ premium RSS feeds for breaking news and matches stories to Polymarket markets via keyword analysis. Trades when breaking news creates an estimat...
⭐ 0· 68·0 current·0 all-time
by@mibayy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, SKILL.md, and the included Python file all describe the same capability: monitoring RSS feeds and trading via a Simmer/Polymarket client. The declared pip dependencies and the use of SIMMER_API_KEY in code are appropriate for that purpose.
Instruction Scope
SKILL.md instructs running news_events.py (dry-run by default; --live to execute real trades). The runtime instructions and the code align: the script polls feeds, filters stories, matches markets, estimates impact, and (when live) places trades. No instructions attempt to read unrelated system secrets or external endpoints beyond news feeds and the trading API. Note: the skill writes a state file to /tmp/polymarket_news_seen.json to track seen stories.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or extracted. The manifest lists pip dependencies (simmer-sdk, requests, feedparser) which are reasonable and expected for this functionality. Installing those packages is normal but still executes third-party code on your system.
Credentials
The SKILL.md requires SIMMER_API_KEY which is consistent with the code. However, clawhub.json lists both SIMMER_API_KEY and TRADING_VENUE in requires.env even though the code treats TRADING_VENUE as optional (os.environ.get with default). The registry metadata also does not mark a primary credential, while the skill clearly needs an API key. This mismatch is an incoherence to be aware of. Asking for a trading API key is proportionate to the purpose, but that key is sensitive (gives trading capability) and should be scoped/limited if possible.
Persistence & Privilege
The manifest includes a cron schedule (*/3 * * * *) which implies periodic autonomous runs every 3 minutes. While always:false, this frequent scheduled execution combined with the ability to execute real trades (via --live) increases operational risk—especially if configuration or flags could be changed to enable live trading unattended. The skill is not requesting platform-wide privileges, but periodic autonomous trading increases potential for monetary loss if misconfigured or compromised.
What to consider before installing
This package appears to be a coherent news-driven trading bot, but treat it as high-risk until you verify details. Before installing or running: 1) Inspect the full news_events.py (the included file is present) to confirm there is no hidden network exfiltration or unexpected endpoints beyond typical RSS feeds and the simmer client. 2) Do not supply a production SIMMER_API_KEY until you've run dry-runs and reviewed behavior; if possible use an API key with limited permissions/funds. 3) Note the manifest's cron: the skill may be scheduled to run every 3 minutes — ensure it will not be started in live mode automatically. 4) Address the manifest inconsistencies (TRADING_VENUE listed as required while code treats it as optional; no primary credential set) or ask the author to fix them. 5) If you plan to run live trading, run inside a controlled environment, monitor trades closely, and rotate/revoke keys after testing. If you are not comfortable auditing the code yourself, do not provide real trading credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97f9cyqj7jd9nm6nygs2vryxs83bv23
License
MIT-0
Free to use, modify, and redistribute. No attribution required.