ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket BTC 5m Arbitrage

v1.0.1

Polymarket BTC 5分钟高频套利机器人 - 自动交易BTC涨跌预测市场,支持 SkillPay 计费

0· 340·0 current·0 all-time
by@whh110112

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for whh110112/polymarket-btc-5m-arbitrage.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Polymarket BTC 5m Arbitrage" (whh110112/polymarket-btc-5m-arbitrage) from ClawHub.
Skill page: https://clawhub.ai/whh110112/polymarket-btc-5m-arbitrage
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install whh110112/polymarket-btc-5m-arbitrage

ClawHub CLI

Package manager switcher

npx clawhub@latest install polymarket-btc-5m-arbitrage
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description claim automated trading (orders, market-making), but the provided Python bot only scans markets and logs arbitrage opportunities; there is no code that places orders or interacts with Polymarket order endpoints. Also the registry lists no required environment variables, yet SKILL.md and the code expect POLYMARKET_PRIVATE_KEY and POLYMARKET_API_KEY (for trading) and SKILLPAY_API_KEY (billing). This mismatch suggests the manifest/metadata are incomplete or misleading.
!
Instruction Scope
SKILL.md instructs users to set private keys and API keys and to run the bot. The code reads .env and environment variables and makes outbound requests to polymarket endpoints and to skillpay.me for billing. It does not attempt to read unrelated local files, but it will use environment-stored private keys if provided (sensible for trading) and will attempt to charge users via SkillPay. The risk: the SKILLPAY usage is automatic and a hardcoded key is present so billing behavior may not be what users expect.
Install Mechanism
No install script or remote downloads; this is an instruction-plus-source package with no networked install steps. That lowers filesystem/remote-exec risk. However, running the included Python scripts will execute network calls in-process (requests) and may perform financial operations if code is changed or extended.
!
Credentials
The code requires sensitive credentials (POLYMARKET_PRIVATE_KEY and POLYMARKET_API_KEY) appropriate for trading, but the registry declares none—an incoherence. Critically, a SKILLPAY_API_KEY default is hardcoded into two files (looks like a private key string 'sk_...'), meaning the package contains an embedded secret that will be used to bill/charge via skillpay.me if the user does not override it. Embedding a live billing API key in distributed code is a high-risk anti-pattern (financial/exfiltration risk).
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It does run continuously (in its own process when executed) but does not modify other skills or agent configs. Autonomous agent invocation is permitted by default but not by itself a concern here.
What to consider before installing
Do not run this code unmodified. Specific recommendations: - Treat the hardcoded SKILLPAY_API_KEY value as suspicious; remove any embedded API keys before running and replace with your own keys only if you trust the billing provider. Hardcoded secret keys can be abused to charge users or route payments to the developer. - Be aware the code advertises automatic trading but contains no order-submission logic; if you expect a trading bot, this code is incomplete—do not provide your POLYMARKET_PRIVATE_KEY until you audit or implement secure signing/ordering logic. - If you plan to run it: audit all network calls (requests) and confirm endpoints, remove or replace the embedded billing key, and run in a sandboxed environment or test account with minimal funds. - Ask the publisher for clarity: why do registry metadata and required-env declarations omit POLYMARKET_* and SKILLPAY_* keys, and is the hardcoded billing key intentional? If you cannot get satisfactory answers, avoid installing or using this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk972ywb77y8pwdcjtgt6t5f00h82bnvm
340downloads
0stars
1versions
Updated 9h ago
v1.0.1
MIT-0
@whh110112
latest
Download

Polymarket BTC 5分钟套利机器人

自动交易 Polymarket BTC 5分钟涨跌预测市场(btc-up-or-down-5m系列)

功能

  • 自动发现当前和即将到来的5分钟BTC市场
  • 实时订单簿分析
  • 价差套利交易
  • 支持限价单和市价单
  • 自动做市提供流动性
  • 支持 SkillPay 计费 (可选)

使用方法

1. 配置

设置环境变量或 config.json:

export POLYMARKET_PRIVATE_KEY="your_private_key"
export POLYMARKET_API_KEY="your_api_key"
export SKILLPAY_API_KEY="your_skillpay_key"  # 可选

2. 运行

python3 scripts/polymarket_btc_5m_bot.py

3. 可选参数

python3 scripts/polymarket_btc_5m_bot.py --help

市场信息

  • 系列: btc-up-or-down-5m
  • 类型: 5分钟BTC涨跌预测
  • 分辨率: Chainlink BTC/USD
  • 交易对: Up/Down

API

SkillPay 计费

本 Skill 支持 SkillPay 计费系统(可选):

  • 用户需先支付才能使用
  • 未支付时返回支付链接
  • 开发者可获得 95% 收入

详细见: https://skillpay.me

参考

  • references/api-reference.md - API 详细文档
  • references/trading-strategy.md - 交易策略说明

Comments

Loading comments...