Neckr0ik Polymarket Trader
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a disclosed Polymarket arbitrage/news monitoring tool, with no artifact-backed evidence of hidden trade execution or data exfiltration, but users should notice optional API-key use, webhook alerts, and overconfident trading language.
Before installing, confirm you are comfortable with a trading-signal tool from an unknown source, use only limited-scope credentials if you set POLYMARKET_API_KEY, avoid enabling webhooks unless you trust the destination, and treat “risk-free” arbitrage claims as recommendations that still need independent verification.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user provides POLYMARKET_API_KEY, the skill may use that credential when contacting Polymarket.
The script can read a Polymarket API key from the local environment and send it as a Bearer token to Polymarket. This is purpose-aligned for live market data, but users should know the skill may use an account credential even though no required credential is declared.
self.api_key = api_key or os.environ.get("POLYMARKET_API_KEY", "") ... headers["Authorization"] = f"Bearer {self.api_key}"Use a least-privilege Polymarket key if available, avoid sharing keys with broader trading authority, and remove the environment variable when not needed.
Market alerts, keywords, or trading-signal details could be sent outside the local environment if webhook alerts are used.
The skill documents webhook-based alerting. This is user-directed and consistent with monitoring, but it can send alert contents to an external URL chosen at runtime.
--webhook <url> Send alerts to webhook
Only configure webhooks you control and understand what alert payloads will contain before enabling them.
Some documented commands or references may not work as described, and users may need to decide manually how to run the included script.
SKILL.md references supporting files that are not present in the provided manifest, and the registry states there is no install spec even though CLI commands are documented. This indicates incomplete packaging/provenance, not hidden execution.
references/polymarket-strategies.md ... scripts/news_correlator.py
Prefer a version with a complete manifest, clear entrypoint, and declared runtime requirements before relying on it for trading workflows.
A user or agent might over-trust the trading recommendations and make financial decisions that are not actually risk-free.
The documentation uses confident financial phrasing around risk-free or locked profit. That may be expected for an arbitrage detector, but trading outcomes can still depend on liquidity, fees, timing, resolution rules, and execution risk.
Use for prediction market trading and risk-free profit detection. ... Buy Polymarket, sell Kalshi. 7% locked profit.
Treat outputs as informational signals, independently verify market rules and execution costs, and do not allow automatic trading based only on these alerts.