ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Mean Reversion Pro

v1.0.0

Generates zero-false mean reversion signals on Polymarket using 4σ price moves with RSI, MACD divergence, ATR compression, and VPIN flow filters.

0· 102·0 current·0 all-time
byMike@themsquared

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for themsquared/polymarket-mean-reversion-pro.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Polymarket Mean Reversion Pro" (themsquared/polymarket-mean-reversion-pro) from ClawHub.
Skill page: https://clawhub.ai/themsquared/polymarket-mean-reversion-pro
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install polymarket-mean-reversion-pro

ClawHub CLI

Package manager switcher

npx clawhub@latest install polymarket-mean-reversion-pro
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name/description (mean-reversion signals for Polymarket) aligns with the code (market fetch, indicators, signal logic, Telegram alerts, SQS push). However the registry metadata claims no required env vars while SKILL.md and the code expect wallet credentials and Telegram configuration; boto3 usage implies AWS credentials may be needed but none were declared. This inconsistency is unexpected and unjustified by the stated purpose.
!
Instruction Scope
SKILL.md instructs users to provide a PRIVATE_KEY and WALLET_ADDRESS (sensitive), and the code will load a local .env file. The runtime instructions also call out SQS integration and Telegram alerts. The code contains hard-coded Telegram bot token/chat and a hard-coded SQS queue URL that will exfiltrate signals to an external account; SKILL.md does not explain or justify sending signals to a third-party-owned SQS queue or why the skill itself would need a private key (vs. an external execution service).
Install Mechanism
This is instruction-only with no external downloads. Required Python libraries are standard (requests, boto3). No high-risk install URLs or archive extraction are present.
!
Credentials
The skill asks users (in SKILL.md) to set PRIVATE_KEY and WALLET_ADDRESS but the registry declared no required env vars. The code uses boto3 (implying AWS credentials or instance role) but does not require or document them. Worse, it contains hard-coded TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, and an explicit SQS_QUEUE_URL — meaning signals (and potentially any data assembled by the script) will be sent to a third party unless you override these. Requiring a private key locally in .env is high-risk if the skill does not need to sign transactions locally; the intent is ambiguous.
Persistence & Privilege
always:false and there is no install writing persistent system-wide config beyond a local .mr_history.json state file. The skill can be invoked autonomously (normal), but autonomous invocation increases exposure because the code will call external endpoints (Telegram, SQS) without clear opt-in from the registry metadata.
What to consider before installing
Do not run this skill with real secrets or on machines that have AWS credentials or live wallets until you resolve the inconsistencies. Specific things to check before installing or running: 1) Ask the author why TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, and SQS_QUEUE_URL are hard-coded in the script; these send data to a third party by default and should be replaced with your own endpoints. 2) Confirm whether the skill needs your PRIVATE_KEY locally — if execution is done by an external pipeline, you should not provide your private key to this script. 3) If you must test, run in an isolated environment with no AWS credentials and without your real wallet keys; use test tokens and your own Telegram bot and SQS queue. 4) Prefer forks that remove hard-coded tokens and require the user to opt into external queues, and consider having the skill log only locally rather than pushing to third-party queues. 5) If you already put secrets into .env and are concerned, rotate those keys (wallet private key, Telegram bot token, AWS creds) immediately. If you want, provide the remaining portion of mean_reversion.py for a complete review to see whether any secrets are ever included in messages pushed to SQS or Telegram.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fdsejtk4fptjnknewd0brf583d8rmmean-reversionvk97fdsejtk4fptjnknewd0brf583d8rmpolymarketvk97fdsejtk4fptjnknewd0brf583d8rmprediction-marketsvk97fdsejtk4fptjnknewd0brf583d8rmtechnical-analysisvk97fdsejtk4fptjnknewd0brf583d8rmtradingvk97fdsejtk4fptjnknewd0brf583d8rm
102downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Mike@themsquared
latestmean-reversionpolymarketprediction-marketstechnical-analysistrading
Download

Polymarket Mean Reversion Pro

Advanced mean reversion signal engine for Polymarket. z-score crash detection with RSI + MACD divergence + ATR compression confirmation. Only fires on 4σ moves in liquid markets ($100k+ volume, 10-90¢ price range, max 7 days out). Zero false signals.

What It Does

  • Monitors top 100 Polymarket markets by 24h volume every 30 minutes
  • Builds 7-day rolling price history per market
  • Fires when price deviates from mean (tightened from 3σ to eliminate noise)
  • Triple confirmation required before any trade:
    1. z-score threshold crossed (4σ crash or spike)
    2. RSI oversold (<40) or overbought (>60)
    3. MACD divergence in expected direction
    4. ATR compression confirmed (volatility < 5% of price)
  • VPIN cross-check: skips if informed traders detected
  • Telegram alerts for every signal
  • SQS integration for automated execution pipeline

Filters (All Must Pass)

FilterValueReason
Min daily volume$100kLiquidity requirement
Price range10¢–90¢Avoid lottery tickets & certainties
Time to resolution6h–168hNo day-ofs or macro bets
z-score threshold±4.0σZero false signals
VPIN< 0.60Skip if informed flow detected

Signal Logic

BUY YES (crash): z < -4.0 + RSI < 40 + MACD bullish divergence + ATR compressed BUY NO (spike): z > +4.0 + RSI > 60 + MACD bearish divergence + ATR compressed

Setup

pip install requests boto3

Configure environment variables (or .env file in same directory):

PRIVATE_KEY=your_polygon_private_key
WALLET_ADDRESS=0xYourWallet
TELEGRAM_BOT_TOKEN=your_bot_token  # optional
TELEGRAM_CHAT_ID=your_chat_id      # optional

Usage

# Run once
python3 mean_reversion.py

# Dry run (show signals, no execution)
python3 mean_reversion.py --dry-run

# Watch mode (runs every 30 min)
python3 mean_reversion.py --watch

# Watch mode dry run
python3 mean_reversion.py --watch --dry-run

Kelly Sizing

  • Quarter Kelly (25% fractional)
  • Min: $2, Max: $25 per trade
  • Scales with probability confidence

Integration

  • Imports vpin.py for toxic flow detection (optional, falls back to 0.5)
  • Pushes signals to AWS SQS for execution pipeline
  • Sends Telegram alerts with z-score, price, volume, hours remaining

Requirements

  • Python 3.9+
  • requests library
  • boto3 (for SQS, optional)
  • py_clob_client (for execution)
  • Polymarket wallet with USDC

Notes

The 7-day history must accumulate before signals fire (24+ data points needed). In watch mode, signals start appearing after ~12 hours of data collection.

Comments

Loading comments...