Storyclaw Polymarket Trading
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: storyclaw-polymarket-trading Version: 0.1.0 The skill bundle implements a functional Polymarket trading bot with support for both dry-run (simulated) and live trading. It includes comprehensive logic for market scanning (market_scanner.py), signal analysis (signals.py), and automated strategy improvement (strategy_manager.py). While the bot handles sensitive information like private keys and modifies system crontabs for scheduling, these actions are transparently documented in SKILL.md and are necessary for the stated purpose; the code also includes security best practices such as restricted file permissions (0o600) for credential storage in polymarket.py.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After live mode is enabled, the bot can spend real funds on Polymarket trades without asking before each trade.
Once a strategy status becomes live, the scheduled worker can call the trading command automatically rather than just recording a dry-run order.
dry_run = strategy.get("status") != "live" ... else: ... ["python3", os.path.join(SCRIPTS_DIR, "polymarket.py"), "trade", trade_token, "BUY", str(size)]Only use live mode with a low-funded wallet, explicit per-strategy and total loss limits, and a clear process to pause or disable trading jobs.
Anyone who obtains the stored private key or API credentials may be able to act on the associated Polymarket wallet/account.
The skill loads a wallet private key and API credentials to build a Polymarket trading client, which is expected for the bot but grants high-impact account authority.
private_key = config.get("private_key") ... client = ClobClient(HOST, chain_id=CHAIN_ID, key=private_key, creds=creds, funder=funder)Use a dedicated wallet with limited funds, protect credential files, rotate credentials if exposed, and avoid using a primary wallet.
The bot may keep scanning and, if live mode is active, trading on a schedule until the cron entries are removed or the strategy is paused.
The documented setup installs a recurring cron job that continues running the strategy worker every 15 minutes.
(crontab -l 2>/dev/null; echo "*/15 * * * * USER_ID=$TELEGRAM_USER_ID python3 $SKILL_PATH/scripts/signal_cron.py $STRATEGY_ID >> $SKILL_PATH/state/$TELEGRAM_USER_ID.$STRATEGY_ID.log 2>&1") | crontab -
Review crontab before enabling this skill, document and test a stop/uninstall command, and remove cron entries when you no longer want automated trading.
Installing the dependency this way may affect other Python software or pull a version different from what the skill was tested with.
The skill relies on an unpinned external Python package and suggests installing it with a flag that can modify the system Python environment.
Run: pip3 install py-clob-client --break-system-packages
Install dependencies in a virtual environment, pin reviewed versions, and avoid `--break-system-packages` unless you understand the system-level impact.