Polymarket Arbitrage
v0.1.0Monitor and execute arbitrage opportunities on Polymarket prediction markets. Detects math arbitrage (multi-outcome probability mismatches), cross-market arbitrage (same event different prices), and orderbook inefficiencies. Use when user wants to find or trade Polymarket arbitrage, monitor prediction markets for opportunities, or implement automated trading strategies. Includes risk management, P&L tracking, and alerting.
⭐ 12· 4.1k·26 current·29 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Polymarket arbitrage) align with the included scripts (fetch_markets.py, detect_arbitrage.py, monitor.py) and documentation. The files only perform scraping, local analysis, state persistence in ./polymarket_data, and optional alerting — all expected for this purpose. No unrelated credentials, cloud APIs, or system services are requested.
Instruction Scope
SKILL.md instructs the agent/user to install requests and beautifulsoup4 and run the Python scripts; scripts only read/write files under the skill directory and fetch polymarket.com for data. A minor runtime concern: monitor.py invokes other scripts via subprocess.run(..., shell=True) to run python3 commands; in the present code those commands are constructed from local paths and CLI args, so immediate injection risk is low, but shell usage increases attack surface if untrusted inputs are later introduced (e.g., returning crafted filenames or providing malicious CLI args). The skill does not currently access environment variables or other system configs outside its data directory. The README and code correctly call out that homepage percentages may be stale and that execution requires wallet integration (not implemented).
Install Mechanism
There is no formal install spec (instruction-only + included scripts). The SKILL.md tells users to pip install requests and beautifulsoup4 — a normal, low-risk dependency installation. No external archives, shorteners, or arbitrary downloads are used.
Credentials
The skill declares no required environment variables or credentials and the code does not read secrets. The README warns that Phase 4 automation would require wallet integration and private keys; that functionality is not implemented in the included scripts. If you extend this skill to automate trades, you will need to manage private keys securely. Currently there is no disproportionate credential request.
Persistence & Privilege
always is false and the skill does not modify global agent config or other skills. It persists only to a local ./polymarket_data directory and a small alert_state.json file. It runs as a user-level process and does not request elevated privileges.
Assessment
This skill appears internally consistent and does what it claims: scrape the Polymarket homepage, detect math arbs, and optionally alert. Recommendations before installing or running: 1) Run it in a controlled environment (local VM or isolated project) and paper-trade first — the code and docs repeatedly warn that homepage odds are often stale and that real execution is fast and competitive. 2) Inspect or pin Python dependencies you install with pip. 3) Do NOT supply private keys, wallet JSONs, or long-lived secrets to this skill unless you (a) implement secure key management and (b) audit any added execution logic — automation that holds keys is a major additional risk. 4) Be aware of webhook URLs: they often embed tokens (e.g., Telegram bot tokens); treat them as secrets and avoid pasting them into public logs. 5) Note the use of subprocess.run(..., shell=True): currently commands are generated from local paths and user CLI args, but if you modify the code to include user-supplied strings in those commands, validate/avoid shell=True to prevent command injection. 6) Expect functional fragility (HTML scraping heuristics can produce wrong probabilities); validate outputs against the live site before risking funds.Like a lobster shell, security has layers — review code before you run it.
latestvk97724yprpdakx9nj2jwsxd3hs80fwhz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.