ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket BTC Trader

v1.0.0

Polymarket BTC 5分钟 Up/Down 全自动交易机器人。MiniMax AI 驱动,双信号决策,自动止盈止损,真实链上交易,Web控制面板。

0· 106·0 current·0 all-time
by@billychoiu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for billychoiu/polymarket-btc-trader.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Polymarket BTC Trader" (billychoiu/polymarket-btc-trader) from ClawHub.
Skill page: https://clawhub.ai/billychoiu/polymarket-btc-trader
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install polymarket-btc-trader

ClawHub CLI

Package manager switcher

npx clawhub@latest install polymarket-btc-trader
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (Polymarket BTC trading bot) match the code and README (bot.py, status_server.py, web panel). However the registry metadata lists no required environment variables or credentials while the code and README clearly expect many sensitive env vars (POLYMARKET_API_KEY, POLYMARKET_API_SECRET, POLYMARKET_PRIVATE_KEY, RELAYER_API_KEY, AI API keys, wallet address, etc.). This mismatch is an incoherence: a trading bot legitimately needs these secrets, but the package metadata failing to declare them is unexpected and misleading.
Instruction Scope
SKILL.md gives concrete run steps (install.sh, copy .env from references, start scripts). The runtime instructions and code operate on local files (bot_status.json, decision_signal.json, trading_control.json) and read .env for credentials. They refer to OpenClaw-provided decision_signal.json (expected). No instructions request unrelated system files, but the skill will read and use highly sensitive keys from .env (private keys, API secrets). Also there are small inconsistencies in instructions vs code (panel port and skill paths — see guidance).
Install Mechanism
No external binary downloads or remote installers; install.sh creates a Python venv and pip-installs aiohttp, requests, python-dotenv, uvicorn — reasonable and proportionate for a Python web/bot project. The skill uses local scripts to copy files into $HOME/.openclaw/workspace which writes to disk but is expected for an install-as-skill flow.
!
Credentials
The code expects multiple sensitive environment variables (Polymarket API key/secret/passphrase, relayer key, private wallet key/address, AI provider API keys). Those are proportionate to on-chain trading functionality, but the skill registry metadata declared none — that's an important omission. Users must be aware they'll need to provide private keys and API secrets; those grant the ability to sign and submit real trades on-chain and to authenticate to Polymarket.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It copies its files into a workspace and runs as separate processes (nohup + python), creating runtime files under the workspace. It doesn't appear to modify other skills or system-wide agent settings. Autonomous invocation is allowed by default (normal).
What to consider before installing
Do not supply real Polymarket/private-key credentials until you verify the source and intended behavior. Specific items to check before installing or running: 1) The registry metadata claims no required env vars, but bot.py and status_server.py expect many secrets (POLYMARKET_API_KEY, POLYMARKET_API_SECRET, POLYMARKET_PRIVATE_KEY, RELAYER_API_KEY, AI API keys). That mismatch is suspicious — ask the publisher why metadata omitted them. 2) Inspect references/.env.example to see exactly which placeholders will be written to $WORK_DIR/.env by the startup scripts. 3) Run first in isolated environment (VM or disposable container) and use paper/simulated mode only (do not enable real account mode or provide a private key). 4) Audit how the web panel/status server handles .env and status files: ensure it does not expose raw secrets via HTTP endpoints. Note the code builds HMAC headers using POLYMARKET_API_SECRET and will sign requests if provided. 5) There are small deployment inconsistencies: SKILL.md / README reference panel port 18095 but status_server.py uses PORT = 18795, and panel_start.sh references a slightly different SKILL_DIR; verify and correct paths before deployment. 6) Prefer to keep only minimal credentials in the bot's .env (paper-mode API credentials or read-only keys where possible) and never put long-term private keys on unknown third-party code. 7) If you need higher confidence, request the maintainer identity, a signed release, or run a line-by-line audit (focus on bot.py and status_server.py) and ensure you understand where and when signing/transactions occur. If you can't verify provenance, treat the skill as untrusted and run only with simulated data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97372pxwht6pvdqkw66md2gqn84an6m
106downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@billychoiu
latest
Download

Polymarket BTC 5m Trading Bot

Polymarket BTC 5分钟 Up/Down 全自动交易机器人。

核心功能

功能说明
🤖 AI 决策支持 MiniMax / OpenAI / SiliconFlow 等任意 OpenAI-compatible API
📊 双信号系统AI 分析 + 价差套利,取交集才交易
💻 Web 控制面板实时状态、持仓、胜率、AI 思考记录
🛡️ 风险保护止盈止损、点差保护、深度保护
📡 外部信号支持 Simmer 信号引擎接入
⏰ 高频策略3分钟 K 线动量策略

快速开始

cd polymarket-btc-bot

# 1. 安装依赖
bash scripts/install.sh

# 2. 配置(必填)
cp references/.env.example .env
nano .env

# 3. 启动 Bot
bash scripts/bot_start.sh

# 4. 启动控制面板
bash scripts/panel_start.sh
# 访问 http://localhost:18095

目录结构

polymarket-btc-bot/
├── SKILL.md
├── README.md
├── bot.py
├── status_server.py
├── scripts/
│   ├── install.sh
│   ├── bot_start.sh
│   └── panel_start.sh
├── references/
│   ├── .env.example
│   └── STRATEGY.md
└── assets/public/

AI 厂商配置

# MiniMax(推荐国内用户)
AI_PROVIDER=minimax
AI_BASE_URL=https://api.minimax.chat/v1
AI_API_KEY=your_key_here
AI_MODEL=MiniMax-M2.7

# OpenAI
AI_PROVIDER=openai
AI_BASE_URL=https://api.openai.com/v1
AI_API_KEY=your_key_here
AI_MODEL=gpt-4o-mini

# SiliconFlow(免费额度)
AI_PROVIDER=siliconflow
AI_BASE_URL=https://api.siliconflow.cn/v1
AI_API_KEY=your_key_here
AI_MODEL=deepseek-ai/DeepSeek-V3

策略说明

Bot 同时运行两套信号,必须两者都同意才开仓:

信号1:AI 决策

  • BTC 当前价格、24h 高低点、日内变化
  • 15 分钟 K 线形态(趋势/震荡)
  • 3 分钟成交量变化
  • 当前持仓状态和浮盈
  • 输出:BUY_UP / BUY_DOWN / HOLD

信号2:价差套利

BTC_5m_change = (BTC当前 - BTC_5min前) / BTC_5min前
signal = BTC_5m_change * 10
price_gap = PM_UP_price - 0.5
divergence = signal - price_gap
  • divergence > 0.003 → 买入 UP
  • divergence < -0.003 → 买入 DOWN

HOLD 条件(不开仓)

  • AI 信号 = HOLD
  • 策略信号无明显偏离
  • 当前已有持仓
  • 剩余时间 < 3 分钟
  • 点差 > 6%

高级参数

参数默认值说明
AI_ENABLEDtrue是否启用 AI 决策
HF_ENABLEDtrue是否启用高频策略
KELLY_FRACTION0.25Kelly 系数

详见 references/STRATEGY.md

常用命令

# 查看 Bot 进程
ps aux | grep bot.py | grep -v grep

# 实时日志
tail -f bot.log

# 重启 Bot
pkill -f "bot.py"
bash scripts/bot_start.sh

# 查看面板
curl http://localhost:18095/

已知限制

  • BTC 5m 市场:每 5 分钟过期,Bot 自动查找当前窗口
  • 建议:搭配 Simmer 信号引擎使用效果更佳

Comments

Loading comments...