ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Cryptos Maker 5m

Continuous Static Market Making execution skill for Polymarket. Sells BOTH sides of 5-minute binary markets at $0.52. Features multi-asset support and an aut...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 17 · 0 current installs · 0 all-time installs
by@thony32
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description and the code both implement a continuous Polymarket market-making bot (placing sell orders on both sides). However, the metadata declares no required credentials/env vars while the code expects LIVE_TRADING and WALLET_PRIVATE_KEY (loaded via dotenv). That mismatch is unexplained and problematic for a trading skill.
!
Instruction Scope
SKILL.md tells the user how to launch the script in the background but omits crucial operational details: it does not mention that you must set LIVE_TRADING or provide WALLET_PRIVATE_KEY (or a .env file), and it does not instruct installing Node dependencies. The README claims an automated 8% stop-loss, but the code's stop-loss uses an internal simulated balance (INITIAL_BALANCE/currentBalance) and is not tied to on-chain or actual wallet balances — this could mislead users into thinking their real funds are protected.
Install Mechanism
No install spec is provided (instruction-only), but package.json lists dependencies (@polymarket/clob-client, ethers, dotenv). The SKILL.md does not instruct to run npm install or otherwise install dependencies; that omission is a usability/safety concern but not itself an active install risk. Dependencies are from npm (traceable), not a remote archive.
!
Credentials
The package uses dotenv and reads process.env.LIVE_TRADING and process.env.WALLET_PRIVATE_KEY (sensitive). Metadata declared no required env or primary credential — omitting a required private key is an incoherence. Requesting a wallet private key is expected for a trading bot, but the missing documentation and simulated stop-loss make that access disproportionate without clearer safeguards.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skill/system configs. It runs as a user-launched Node process; autonomous invocation is permitted by platform defaults but not specifically privileged by this skill.
What to consider before installing
Do not run this against a real wallet until you verify and test it yourself. Key points to check before installing/using: 1) The script reads .env and expects WALLET_PRIVATE_KEY and LIVE_TRADING but the SKILL.md and metadata do not mention these — supply a private key only to code you fully trust. 2) The advertised "8% Stop-Loss" is implemented against an internal simulated balance (INITIAL_BALANCE/currentBalance) and is not tied to actual on-chain balances or exchange account data — it may not protect real funds. 3) The package.json requires @polymarket/clob-client, ethers and dotenv; run npm install in a controlled environment and inspect installed packages. 4) Prefer testing in a dry-run or sandbox (LIVE_TRADING unset/false) and with a throwaway wallet with minimal funds. 5) If you need this skill, ask the publisher to update SKILL.md and registry metadata to declare required env vars, explain how stop-loss maps to real balances, and include explicit install/run instructions. If you are not comfortable auditing the code and npm dependencies yourself, do not provide your wallet private key or enable LIVE_TRADING.
index.mjs:12
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97e00efa71rc0a0pmdq7nwh8x831sf3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Polymarket V14 Continuous Maker

This skill executes a continuous static market-making cycle on Polymarket 5-minute crypto markets. It places Limit Sell orders on both UP and DOWN tokens at a fixed price of $0.52.

Role of the AI Agent

You are the Portfolio Manager. Your job is to trigger the continuous trading loop and decide the initial allocation. Because the bot runs indefinitely in the background, you do not need to execute it every 5 minutes. The script has a built-in 8% Stop-Loss that will automatically halt trading if the global drawdown limit is reached.

Commands

Run the Node.js script in the background to start continuous market making. You MUST use the nohup and & operators so your terminal does not block and you can continue to respond to the user.

# Execute continuously on ALL markets (BTC, ETH, SOL, XRP) with 10 shares per market
nohup node polymarket-maker/index.mjs trade --asset ALL --shares 10 > bot_log.json 2>&1 &

# Or execute continuously on a single specific market
nohup node polymarket-maker/index.mjs trade --asset BTC --shares 10 > bot_log.json 2>&1 &

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…