ClawHub

PolyEdge - Polymarket Correlation Analyzer

v0.1.1

Detect mispriced correlations between Polymarket prediction markets. Cross-market arbitrage finder for AI agents.

4· 3.2k·6 current·6 all-time
by@sbaker5
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements the claimed functionality (fetch Polymarket markets, analyze correlations, surface signals, and optionally expose an x402-payg HTTP API). However the registry metadata / SKILL.md declare no required environment variables while the code expects and uses several environment variables (PAYMENT_WALLET, PRICE_USDC, BASESCAN_API_KEY, BASE_RPC, REQUIRE_PAYMENT via env). Payment-related configuration is consistent with the advertised pay-per-query API, but the lack of declared env requirements and the presence of a hardcoded PAYMENT_WALLET (an external address) is an editorial/information mismatch that users should be aware of.
Instruction Scope
Runtime instructions in SKILL.md focus on running analyzer.py and editing patterns.py; they do not instruct the agent to read local user files or secrets. The code performs only network calls to public APIs (Polymarket Gamma API, Base RPCs, BaseScan) and does not attempt to read the user's filesystem or env files beyond standard os.environ usage. The SKILL.md advertises an external pay endpoint (api.nshrt.com) which matches links and dashboard references in the code.
Install Mechanism
No install spec is provided (instruction-only / source-included). That minimizes hidden install-time risk. The repository is pure Python code that uses urllib for network I/O; nothing is downloaded at install time. If you run the docker-compose it references traefik and an external network, which is a deployment detail — but there is no remote arbitrary archive or shortener URL being pulled during install.
!
Credentials
The skill declares no required env vars but the code uses several environment variables and has defaults baked in. In particular PAYMENT_WALLET defaults to a specific hardcoded address (0xB8B9...), and PRICE_USDC and BASESCAN_API_KEY can be set via env. Directing payments to a default external wallet is a behavior users should treat as intentional monetization by the author; it's not a secret-exfiltration technique but it is a potentially surprising default if you deploy the API yourself without overriding PAYMENT_WALLET. There are no requests for unrelated credentials (AWS keys, github tokens, etc.), which is good.
Persistence & Privilege
The skill doesn't request permanent 'always' inclusion and doesn't modify other skills or system settings. It's a code bundle that can be run locally or hosted; it does not install agents or persist credentials into the host environment. Running the API server will accept requests and may cache verified payments in memory (VERIFIED_PAYMENTS), but that's local to the process.
What to consider before installing
High-level points to consider before installing or running this skill: - Purpose and behavior: The code implements a Polymarket correlation analyzer and an optional paid HTTP API (x402) as described. Running analyzer.py locally to inspect two markets is low-risk aside from normal network calls to Polymarket's API. - Default payment recipient: If you run the API server or deploy the provided docker-compose, the code's default PAYMENT_WALLET is hardcoded to an external address. Unless you explicitly set PAYMENT_WALLET to your own address via environment variables, payments will go to the author's wallet. This is not secret exfiltration but is a monetization choice you should be aware of. - Undeclared env vars: The SKILL.md / registry metadata say “no required env vars,” but the code reads env vars (PAYMENT_WALLET, PRICE_USDC, BASESCAN_API_KEY, BASE_RPC, REQUIRE_PAYMENT). If you intend to host the service, set these deliberately and inspect defaults. - Network behavior: The skill makes outbound requests to Polymarket (gamma-api.polymarket.com), BaseScan, and multiple public Base RPC providers. If you are in a restricted environment, be aware of these external calls. The x402 payment verification uses multiple third-party RPC endpoints as fallbacks — review those endpoints if you expect to control network endpoints. - Audit before deploying publicly: If you plan to host the API or expose it to agents, do a quick code audit: verify the PAYMENT_WALLET is set to your address (or remove payment logic if you don't want payg behavior), confirm BASESCAN_KEY usage and rate limits, and test the payment verification logic to ensure it matches your security/financial expectations (e.g., re-check minimal amount/slippage tolerance, on-chain verification robustness). - When to avoid: Do not give this skill any private keys or credentials. If you are not comfortable with the default payment wallet or with an external pay-to endpoint (api.nshrt.com referenced in docs), do not run the API server; instead run analyzer.py locally for one-off analyses. If you want, I can: (1) point out the exact lines where PAYMENT_WALLET is set and used, (2) produce a minimal checklist of env vars to set before deploying, or (3) summarize how the x402 verification works step-by-step.

Like a lobster shell, security has layers — review code before you run it.

basevk97e50ngb5gg854bf5qqth4dd580jmbkdefivk97e50ngb5gg854bf5qqth4dd580jmbklatestvk974hkte95zf2f62fd6r1qvtws80qscwpolymarketvk97e50ngb5gg854bf5qqth4dd580jmbktradingvk97e50ngb5gg854bf5qqth4dd580jmbkx402vk97e50ngb5gg854bf5qqth4dd580jmbk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments