ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Mean Reversion Pro

v1.0.0

Generates zero-false mean reversion signals on Polymarket using 4σ price moves with RSI, MACD divergence, ATR compression, and VPIN flow filters.

0· 54·0 current·0 all-time
byMike@themsquared
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name/description (mean-reversion signals for Polymarket) aligns with the code (market fetch, indicators, signal logic, Telegram alerts, SQS push). However the registry metadata claims no required env vars while SKILL.md and the code expect wallet credentials and Telegram configuration; boto3 usage implies AWS credentials may be needed but none were declared. This inconsistency is unexpected and unjustified by the stated purpose.
!
Instruction Scope
SKILL.md instructs users to provide a PRIVATE_KEY and WALLET_ADDRESS (sensitive), and the code will load a local .env file. The runtime instructions also call out SQS integration and Telegram alerts. The code contains hard-coded Telegram bot token/chat and a hard-coded SQS queue URL that will exfiltrate signals to an external account; SKILL.md does not explain or justify sending signals to a third-party-owned SQS queue or why the skill itself would need a private key (vs. an external execution service).
Install Mechanism
This is instruction-only with no external downloads. Required Python libraries are standard (requests, boto3). No high-risk install URLs or archive extraction are present.
!
Credentials
The skill asks users (in SKILL.md) to set PRIVATE_KEY and WALLET_ADDRESS but the registry declared no required env vars. The code uses boto3 (implying AWS credentials or instance role) but does not require or document them. Worse, it contains hard-coded TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, and an explicit SQS_QUEUE_URL — meaning signals (and potentially any data assembled by the script) will be sent to a third party unless you override these. Requiring a private key locally in .env is high-risk if the skill does not need to sign transactions locally; the intent is ambiguous.
Persistence & Privilege
always:false and there is no install writing persistent system-wide config beyond a local .mr_history.json state file. The skill can be invoked autonomously (normal), but autonomous invocation increases exposure because the code will call external endpoints (Telegram, SQS) without clear opt-in from the registry metadata.
What to consider before installing
Do not run this skill with real secrets or on machines that have AWS credentials or live wallets until you resolve the inconsistencies. Specific things to check before installing or running: 1) Ask the author why TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, and SQS_QUEUE_URL are hard-coded in the script; these send data to a third party by default and should be replaced with your own endpoints. 2) Confirm whether the skill needs your PRIVATE_KEY locally — if execution is done by an external pipeline, you should not provide your private key to this script. 3) If you must test, run in an isolated environment with no AWS credentials and without your real wallet keys; use test tokens and your own Telegram bot and SQS queue. 4) Prefer forks that remove hard-coded tokens and require the user to opt into external queues, and consider having the skill log only locally rather than pushing to third-party queues. 5) If you already put secrets into .env and are concerned, rotate those keys (wallet private key, Telegram bot token, AWS creds) immediately. If you want, provide the remaining portion of mean_reversion.py for a complete review to see whether any secrets are ever included in messages pushed to SQS or Telegram.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fdsejtk4fptjnknewd0brf583d8rmmean-reversionvk97fdsejtk4fptjnknewd0brf583d8rmpolymarketvk97fdsejtk4fptjnknewd0brf583d8rmprediction-marketsvk97fdsejtk4fptjnknewd0brf583d8rmtechnical-analysisvk97fdsejtk4fptjnknewd0brf583d8rmtradingvk97fdsejtk4fptjnknewd0brf583d8rm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments