polymarket-maker Security Report — Trusted | ClawSafe

5 /100

polymarket-maker

Continuous Static Market Making execution skill for Polymarket. Sells BOTH sides of 5-minute binary markets at $0.52.

Legitimate Polymarket trading bot using standard crypto libraries with no hidden functionality or credential exfiltration.

Skill Namepolymarket-maker

Duration27.2s

Enginepi

✓

Safe to install

No action required. This is a standard DeFi trading implementation.

Findings 1 items

Severity	Finding	Location
Low	Unpinned dependency versions Supply Chain Dependencies use caret (^) version ranges instead of exact versions, allowing unexpected updates `"@polymarket/clob-client": "^5.8.0"` → Pin to exact versions: "@polymarket/clob-client": "5.8.0"	`package.json:6`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations in code
Network	`READ`	`READ`	✓ Aligned	api.binance.com, clob.polymarket.com, gamma-api.polymarket.com
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares nohup/node execution
Environment	`READ`	`READ`	✓ Aligned	WALLET_PRIVATE_KEY accessed via process.env
Skill Invoke	`NONE`	`NONE`	—	No skill invocation

4 findings

🔗

Medium External URL 外部 URL

https://api.binance.com/api/v3/ticker/price?symbol=$

index.mjs:56

🔗

Medium External URL 外部 URL

https://clob.polymarket.com/book?token_id=$

index.mjs:65

🔗

Medium External URL 外部 URL

https://gamma-api.polymarket.com/markets?slug=$

index.mjs:80

🔗

Medium External URL 外部 URL

https://clob.polymarket.com

index.mjs:98

File Tree

3 files · 9.6 KB · 273 lines

JavaScript 1f · 238L Markdown 1f · 25L JSON 1f · 10L

├─ 📜 index.mjs JavaScript 238L · 8.0 KB

├─ 📋 package.json JSON 10L · 212 B

└─ 📝 SKILL.md Markdown 25L · 1.3 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`@polymarket/clob-client`	`^5.8.0`	npm	No	Version range not pinned
`dotenv`	`^17.3.1`	npm	No	Version range not pinned
`ethers`	`^6.16.0`	npm	No	Version range not pinned

Security Positives

✓ Code is readable with no obfuscation or base64 encoding

✓ No eval() or Function() usage

✓ No credential exfiltration - WALLET_PRIVATE_KEY used only for local transaction signing via ethers.js

✓ Network requests limited to legitimate Polymarket and Binance APIs

✓ No hidden functionality - implementation matches SKILL.md documentation

✓ Standard DeFi trading patterns using well-known libraries (ethers.js, @polymarket/clob-client)

✓ Built-in stop-loss mechanism demonstrates protective intent

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives