v1.0.0

Polymarket Whale Tracker

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:02 AM.

Analysis

This skill appears to be a local reporting tool that queries public Polymarket APIs, but users should treat its trading-confidence language as informational rather than guaranteed financial guidance.

GuidanceBefore installing, understand that this appears to be a read-only Polymarket data-reporting script, not an automated trading system. It will contact Polymarket API endpoints and may send wallet addresses you query. Install the Python dependency from a trusted environment, and do not rely on the tool's 'high conviction' or 'winning trades' language as financial advice without independent review.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Track the top monthly earners on Polymarket and copy their winning positions... 2+ whales in same market → HIGH conviction, follow... Kelly-sized position recommendations with $25 hard cap

The skill uses strong trading-confidence language, while the included script only reports public position data and does not verify future outcomes, place trades, or enforce the advertised cap.

User impactA user or agent could over-trust the output as a trading recommendation rather than a market-data report.

RecommendationTreat the output as informational only, verify markets independently, and do not let an agent place financial trades without explicit human approval.

Tool Misuse and Exploitation

SeverityInfoConfidenceHighStatusNote

whale_tracker.py

DATA_API  = "https://data-api.polymarket.com" ... requests.get(f"{DATA_API}/positions", params={"user": address, "sizeThreshold": min_size, "limit": 50,}, timeout=10)

The script performs outbound API calls and sends wallet addresses as query parameters; this is central to the whale-tracking purpose and is not hidden.

User impactQueried wallet addresses and leaderboard lookups will be sent to Polymarket API endpoints.

RecommendationUse the script only when you are comfortable making those public API lookups, especially if the address is personally associated with you.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

SKILL.md

pip install requests

The setup step installs an unpinned Python dependency and there is no install spec. This is a simple, expected dependency for the script, but it relies on the user's package source.

User impactA normal package-install supply-chain risk exists if the dependency is installed from an untrusted or compromised package source.

RecommendationInstall `requests` from a trusted Python package index, preferably in a virtual environment, and pin a known-good version if reproducibility matters.