Back to skill
Skillv1.0.0
ClawScan security
Neckr0ik Polymarket Paper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 3:34 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, CLI instructions, and resource needs are consistent with a local paper-trading tool; it stores data under the user's home directory and does not request external credentials or unusual system access.
- Guidance
- This skill appears coherent and self-contained: it stores account and leaderboard data under ~/.polymarket-paper and does not ask for API keys or system-wide credentials. Before installing or allowing autonomous use, review the rest of the Python code (the truncated portion) for any network calls or external endpoints (urllib imports suggest possible requests). If you plan to use 'live market data', confirm which API/URL the tool will call and whether any API keys or telemetry are required. Also note the tool will create and modify files in your home directory; back up any important data and inspect those files if you have privacy concerns. If you want stronger assurance, run the script in a sandboxed environment first.
Review Dimensions
- Purpose & Capability
- okName/description (paper trading for Polymarket) align with the included CLI instructions and Python implementation. The skill does not request unrelated credentials or binaries. Feature claims (accounts, portfolio, leaderboard, analytics) map to local data storage and sample market data in the code.
- Instruction Scope
- noteSKILL.md instructs use of a CLI that matches the included script. One minor mismatch: the README/manifest claims 'Real market data — Live Polymarket prices' while the provided code currently uses in-repo sample_markets (a stub). The remainder of the script (truncated) imports urllib which could be used for network calls; this would be coherent if used to fetch market prices, but you should review the rest of the code for any external endpoints before enabling network access.
- Install Mechanism
- okNo install script or remote download is specified (instruction-only with one local Python script). No archives or remote installers are fetched; this is low-risk from an installer perspective.
- Credentials
- okThe skill requests no environment variables, no credentials, and no special config paths. Its file writes are limited to a dedicated directory under the user's home (~/.polymarket-paper), which is proportionate for storing accounts and leaderboard data.
- Persistence & Privilege
- okThe skill is not forced always-on, and it does not attempt to modify other skills or global agent settings. It persists only its own account and leaderboard JSON files under the user's home directory.