Polymarket News Monitor
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: polymarket-news-monitor Version: 1.0.0 The skill is a Polymarket news and API status monitor. It fetches data from official Polymarket RSS feeds and health endpoints, processes it for importance, and can send alerts to a user-configured webhook URL. All network activity (GET requests to Polymarket, POST to user-defined webhook) and local file operations (logging, state management) are directly aligned with its stated purpose. There is no evidence of unauthorized data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the AI agent in the `SKILL.md` or `README.md` files. The use of `requests` is a standard practice for network communication.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user clones an unverified repository, they may run code that differs from the reviewed artifact.
The documentation instructs users to clone and run code from an external GitHub repository, while the registry source is listed as unknown. This is user-directed, but users should verify the repository before running it.
git clone https://github.com/mig6671/polymarket-news-monitor.git cd polymarket-news-monitor python3 scripts/polymarket-monitor.py
Install from the reviewed package when possible, or verify the GitHub repository, owner, and commit before running the script.
The script may fail unless requests is already installed, or it may rely on whatever local version is present.
The script uses the third-party requests package, but the skill has no install spec and the documentation claims no external dependencies. This looks like an undeclared dependency rather than malicious behavior.
import requests
Declare and pin the Python dependency, or verify the local requests installation before use.
The configured webhook service will receive alert details such as titles, URLs, timestamps, importance, and keywords.
When webhook notifications are enabled, alert data is posted to a user-configured webhook URL. This is disclosed and purpose-aligned, but it is still an external data flow.
requests.post(
self.config["notification"]["webhook"],
json=alert,
timeout=5
)Use only trusted webhook destinations and avoid placing secrets in alert titles, URLs, or configuration files.
If the user installs the cron entry, the monitor will keep running on a schedule and writing local state/log files.
The skill recommends a cron schedule, which would make the monitor run repeatedly after the initial setup. This is disclosed and user-directed.
Cron Setup (Recommended) # Check every 30 minutes */30 * * * * /path/to/polymarket-monitor.py --data-dir /path/to/data
Only add the cron job if continuous monitoring is desired, and remove the crontab entry when no longer needed.