Neckr0ik Polymarket Trader
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: neckr0ik-polymarket-trader Version: 1.1.0 The skill bundle is a legitimate tool for monitoring Polymarket arbitrage opportunities. The core logic in `scripts/arbitrage_detector.py` uses the Python standard library to fetch market data from official Polymarket API endpoints and perform spread calculations. No evidence of data exfiltration, malicious execution, or prompt injection was found; the script only accesses the `POLYMARKET_API_KEY` environment variable as expected for its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user provides POLYMARKET_API_KEY, the skill may use that credential when contacting Polymarket.
The script can read a Polymarket API key from the local environment and send it as a Bearer token to Polymarket. This is purpose-aligned for live market data, but users should know the skill may use an account credential even though no required credential is declared.
self.api_key = api_key or os.environ.get("POLYMARKET_API_KEY", "") ... headers["Authorization"] = f"Bearer {self.api_key}"Use a least-privilege Polymarket key if available, avoid sharing keys with broader trading authority, and remove the environment variable when not needed.
Market alerts, keywords, or trading-signal details could be sent outside the local environment if webhook alerts are used.
The skill documents webhook-based alerting. This is user-directed and consistent with monitoring, but it can send alert contents to an external URL chosen at runtime.
--webhook <url> Send alerts to webhook
Only configure webhooks you control and understand what alert payloads will contain before enabling them.
Some documented commands or references may not work as described, and users may need to decide manually how to run the included script.
SKILL.md references supporting files that are not present in the provided manifest, and the registry states there is no install spec even though CLI commands are documented. This indicates incomplete packaging/provenance, not hidden execution.
references/polymarket-strategies.md ... scripts/news_correlator.py
Prefer a version with a complete manifest, clear entrypoint, and declared runtime requirements before relying on it for trading workflows.
A user or agent might over-trust the trading recommendations and make financial decisions that are not actually risk-free.
The documentation uses confident financial phrasing around risk-free or locked profit. That may be expected for an arbitrage detector, but trading outcomes can still depend on liquidity, fees, timing, resolution rules, and execution risk.
Use for prediction market trading and risk-free profit detection. ... Buy Polymarket, sell Kalshi. 7% locked profit.
Treat outputs as informational signals, independently verify market rules and execution costs, and do not allow automatic trading based only on these alerts.