ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Cryptos Hunter

v2.0.0

HFT Market Making bot for Polymarket. Live execution via Web3 and CLOB API.

0· 93·0 current·0 all-time
by@thony32

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for thony32/polymarket-cryptos-hunter.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Polymarket Cryptos Hunter" (thony32/polymarket-cryptos-hunter) from ClawHub.
Skill page: https://clawhub.ai/thony32/polymarket-cryptos-hunter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install polymarket-cryptos-hunter

ClawHub CLI

Package manager switcher

npx clawhub@latest install polymarket-cryptos-hunter
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (HFT market-making on Polymarket) matches the code: it uses a CLOB REST/WS client and web3 to read balances and place orders. However the registry/metadata claims no required environment variables, while the code clearly expects a WALLET_PRIVATE_KEY and optionally Polymarket API credentials — an inconsistency between declared requirements and actual needs.
!
Instruction Scope
SKILL.md instructs the agent to start the bot in the background using nohup & and says the agent's only role is to start it. It does not mention supplying a .env, the need to provide a private key, how keys are stored, or safety checks (dry-run/testnet). The runtime instructions therefore omit critical operational details and give broad permission to start a long-running process without confirmation or safeguards.
Install Mechanism
There is no install spec (instruction-only install), which reduces install-time risk. A requirements.txt is included but the SKILL.md doesn't specify installing dependencies or setting up the virtualenv; that mismatch may lead users to run the script in an unprepared environment. No external download URLs or installers are present in the bundle.
!
Credentials
The code requires WALLET_PRIVATE_KEY (and references POLYMARKET_API_KEY/SECRET/PASSPHRASE) which are highly sensitive. Those credentials are necessary for live trading, so their presence can be legitimate — but the skill metadata and SKILL.md do not declare or explain them, nor do they warn about the security implications. That lack of transparency is a security concern.
!
Persistence & Privilege
The agent is instructed to launch an indefinite background process (nohup ... &). The bot also writes logs and an sqlite audit DB to the working directory. Persistent processes that hold secret keys are a higher-risk posture: if the process is compromised it could leak or misuse funds. The skill does not request 'always:true' but it does request persistence via the instructions.
What to consider before installing
This skill runs a live trading bot and requires your wallet private key and possibly Polymarket API credentials, but the package metadata and instructions do not disclose that — proceed cautiously. Before installing or running: (1) do not use your mainnet/private production wallet; use a burner wallet with minimal funds and test on a testnet if possible; (2) read the entire main.py to completion (search for any hard-coded endpoints, telemetry, or unexpected network calls); (3) ensure you understand where RPC provider and credentials are sourced (the code expects an env WALLET_PRIVATE_KEY); (4) run inside an isolated environment (container or VM) and with limited filesystem permissions; (5) install dependencies in a venv and run initially with a dry-run or simulation mode (if available) — do not start the bot in background on a machine with valuable keys until you’re comfortable; (6) consider having an independent code audit if you will use real funds. The inconsistencies (no declared env vars vs code requiring secrets, lack of setup instructions, and the advice to spawn a persistent background process) are why this is flagged as suspicious rather than benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk979fjnccxkvaw9n2qyfhf602x83ggqj
93downloads
0stars
1versions
Updated 1mo ago
v2.0.0
MIT-0
@thony32
latest
Download

Hunter Ultimate - Live Trading

This is a continuous, high-frequency Python bot that executes market-making strategies on Polymarket using real money. It reads the portfolio balance directly from the Polygon blockchain.

Role of the AI Agent

You are the Portfolio Manager. Your only job is to start the bot. The bot runs indefinitely in the background and has a built-in 15% Stop Loss.

Commands

Run this script to start the continuous trading bot. You MUST use cd to enter the skill directory first, and then use nohup and & to run the virtual environment's Python executable in the background. This ensures you do not block the terminal.

# Navigate to the skill folder and start the live trading bot in the background
cd polymarket-cryptos-hunter && nohup .venv/bin/python main.py start > bot_log.txt 2>&1 &

Comments

Loading comments...