ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Weather Bands

v0.3.0

Autonomous Polymarket weather-market trading flow for AION Market agents. After the user provides AION API key and wallet private key, the agent should autom...

0· 120·0 current·0 all-time
by@ssj124

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ssj124/polymarket-weather-bands.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Polymarket Weather Bands" (ssj124/polymarket-weather-bands) from ClawHub.
Skill page: https://clawhub.ai/ssj124/polymarket-weather-bands
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install polymarket-weather-bands

ClawHub CLI

Package manager switcher

npx clawhub@latest install polymarket-weather-bands
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (autonomous trading on AION/Polymarket) legitimately requires an API key and a wallet private key, which the SKILL.md explicitly lists as mandatory inputs. However, the registry metadata claims no required environment variables or primary credential, creating a clear inconsistency between what the skill will ask for at runtime and what the registry advertises.
!
Instruction Scope
The instructions direct the agent to derive keys from a provided private key, register wallet credentials with AION Market, auto-check balances/gas/allowances, auto-approve spenders, build and sign orders, submit trades, and verify results — and to do so without additional confirmations by default. These are coherent for an automated trading flow but they grant the agent broad authority to move funds. The SKILL.md is ambiguous about whether the private key ever leaves the host (e.g., is only used locally to sign) versus being uploaded/transmitted during 'registration'.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk or downloaded by an installer. That lowers installation risk, but runtime behavior still depends on what the agent does when following the prose.
!
Credentials
The SKILL.md requires two sensitive inputs (AIONMARKET_API_KEY and WALLET_PRIVATE_KEY), which are proportionate to trading functionality. But the registry metadata lists no required env vars — a notable mismatch. The instructions also require registering wallet credentials with a third-party service, which could entail transmitting sensitive derived credentials or signatures; the doc does not state what is transmitted. The private key is extremely sensitive and the skill gives the agent authority to sign and submit transactions, so this requires explicit safeguards.
Persistence & Privilege
The skill is not always-enabled and uses the platform default allowing autonomous invocation. Autonomous execution combined with instructions to avoid extra confirmations increases risk (fund-moving actions may occur without explicit user approval). There is no evidence the skill modifies other skills or system configs.
What to consider before installing
Key considerations before installing or using this skill: - The SKILL.md will ask you to provide your WALLET_PRIVATE_KEY and AIONMARKET_API_KEY. Never paste a high-value private key into a third-party skill unless you fully trust how it is used and transmitted. - The registry metadata claims no required env vars, but the runtime instructions contradict that — ask the publisher to resolve this mismatch and provide an explicit data-flow statement (what is signed locally vs what is transmitted to AION or Polymarket endpoints). - Confirm whether wallet registration only sends a derived public address or whether any secret/signed material (or raw private key) is uploaded. If the private key is transmitted or stored remotely, do not use it. - Prefer safer alternatives: use a dedicated low-value spending wallet, hardware wallet or remote signer (so the skill never sees the raw private key), require explicit user confirmation for any trade above a small threshold, and test first in sandbox with minimal funds. - If you still consider using it, request from the publisher: (1) exact API endpoints called for registration and what payloads they receive, (2) whether signing is local, (3) a promise not to persist private keys, and (4) an option to force manual confirmations for every on-chain action. - Because the metadata/manifest is inconsistent, exercise caution and seek clarification before supplying secrets. Additional information that would raise confidence: an explicit statement that signing is done locally with no private-key transmission, sample request/response examples, or source code showing local signing and only public data being sent.

Like a lobster shell, security has layers — review code before you run it.

latestvk970wg0pkhnxdmqbhgyxpf1acn851xcf
120downloads
0stars
3versions
Updated 1w ago
v0.3.0
MIT-0
@ssj124
latest
Download

Skill: polymarket-weather-bands

This skill defines a compact one-shot weather trading flow on top of aionmarket-trading. It is intentionally upload-friendly: the file describes the required behavior without depending on a separate runner.py.

Scope

  • Ask only for AIONMARKET_API_KEY and WALLET_PRIVATE_KEY
  • Auto-derive wallet address and Polymarket CLOB credentials
  • Auto-register wallet credentials with AION Market
  • Auto-check USDC balance, Polygon gas, and required allowance
  • Auto-approve if allowance is insufficient and gas is available
  • Fetch the hottest active weather markets from Polymarket
  • Auto-pick a suitable market and prefer a market buy order
  • Default to 2 USDC spend unless the user overrides size or requests a limit order
  • Verify the actual result through Polymarket if the SDK response is weak

This skill does not implement forecasting models or unattended recurring trading.

Required Inputs

InputRequiredDefault
AIONMARKET_API_KEYyesnone
WALLET_PRIVATE_KEYyesnone
orderModenomarket
orderSizeno2 USDC
outcomenoauto
priceonly for explicit limit orderauto

The agent should not ask for additional confirmation on steps it can execute directly.

Mandatory Rules

  1. If either secret is missing, stop and ask for it.
  2. Never ask the user to manually provide Polymarket API credentials.
  3. After the private key is available, automatically perform wallet derivation, wallet registration, balance checks, gas checks, allowance checks, and approval when needed.
  4. Show the selected market snapshot and final order parameters before submission, but do not block on confirmation unless the user explicitly requested manual confirmation mode.
  5. Default to a market buy order.
  6. Default spend is 2 USDC.
  7. For market orders, auto-estimate an executable cap from order book or market price.
  8. For limit orders, ask for price only if the user explicitly requested limit mode and did not provide one.
  9. Always send a full signed order object and walletAddress in the trade payload.
  10. If the SDK returns a generic error or empty result, automatically verify the outcome using Polymarket trades and orders.

Market Selection Policy

Use Polymarket Gamma weather markets and rank candidates by:

  1. volume24hr descending
  2. liquidity descending
  3. valid conditionId, clobTokenIds, and usable YES/NO prices
  4. prices not pinned too close to 0 or 1
  5. better immediate fill characteristics for market orders

Choose the best candidate automatically unless the user requested a specific market.

Recommended endpoint:

GET https://gamma-api.polymarket.com/events/pagination?tag_slug=weather&active=true&closed=false&archived=false&order=volume24hr&ascending=false&limit=20&offset=0

Execution Policy

The agent should follow this sequence:

  1. Derive wallet address and CLOB credentials from WALLET_PRIVATE_KEY
  2. Register wallet credentials in AION Market if missing
  3. Check USDC balance, Polygon gas, and allowance
  4. Auto-approve the needed spender if allowance is insufficient
  5. Fetch and rank hot weather markets
  6. Show the selected market snapshot
  7. Resolve defaults: orderMode=market, orderSize=2, side=BUY
  8. Build a signed Polymarket order
  9. Submit through client.trade()
  10. Verify the actual result from Polymarket CLOB if the SDK wrapper response is incomplete

Required Trade Payload

FieldRequired
marketConditionIdyes
marketQuestionyes
outcomeyes
orderSizeyes
priceyes
isLimitOrderyes
orderTypeyes
orderyes
walletAddressyes
reasoningyes

Important:

  • marketConditionId must be the sub-market conditionId, not the event id
  • order must be the full signed object from py-clob-client
  • market orders should use FAK or FOK semantics
  • limit orders should respect tick size and minimum size

Failure Handling

  • If balance is insufficient, stop and report the deficit
  • If gas is insufficient, stop and report the shortfall
  • If allowance is insufficient and gas exists, auto-approve and continue
  • If get_market_context() fails in sandbox, continue using direct market data and CLOB read-only validation as fallback
  • Never execute fallback orders directly through Polymarket SDK; trade and cancel actions must use AION API endpoints only
  • If SDK returns tradeResult: null or INTERNAL_ERROR, verify recent trades and open orders before reporting failure

Minimal Example

from aionmarket_sdk import AionMarketClient
from py_clob_client.client import ClobClient

client = AionMarketClient(api_key=AIONMARKET_API_KEY)
bootstrap = ClobClient("https://clob.polymarket.com", key=WALLET_PRIVATE_KEY, chain_id=137)

wallet_address = bootstrap.get_address()
creds = bootstrap.create_or_derive_api_creds()

check = client.check_wallet_credentials(wallet_address)
if not check.get("hasCredentials"):
    client.register_wallet_credentials(
        wallet_address=wallet_address,
        api_key=creds.api_key,
        api_secret=creds.api_secret,
        api_passphrase=creds.api_passphrase,
    )

# Then: auto-check balance/gas/allowance -> fetch hot weather markets ->
# auto-pick candidate -> build signed market order -> client.trade(payload) ->
# verify with Polymarket trades if needed.

This skill file is self-contained and intended to be uploaded on its own.

Comments

Loading comments...