polymarket-autotrade Security Report — Trusted | ClawSafe

5 /100

polymarket-autotrade

Polymarket prediction market CLI - Browse markets, check prices, execute trades, and manage portfolio

Polymarket trading CLI with transparent private key handling and declared network access to official Polymarket API endpoints only.

Skill Namepolymarket-autotrade

Duration32.6s

Enginepi

✓

Safe to install

No action needed. Skill operates within declared boundaries. Consider pinning py-clob-client to a specific version for reproducibility.

Findings 2 items

Severity	Finding	Location
Low	Dependency versions not upper-pinned requirements.txt and pyproject.toml specify minimum versions (requests>=2.31.0, py-clob-client>=1.5.0) without upper bounds, allowing potentially mismatched versions to be installed `requests>=2.31.0` → Pin to known-compatible versions, e.g., requests==2.31.0 and py-clob-client==1.5.0	`requirements.txt:2`
Low	Crypto wallet address hardcoded Polymarket USDC contract address 0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174 is hardcoded at line 17. This is expected but worth noting for auditability. `USDC_CONTRACT = "0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174"` → No action needed - this is a well-known Polygon USDC contract address	`skill.py:17`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ/WRITE`	`READ/WRITE`	✓ Aligned	skill.py:37 reads CREDS_FILE; skill.py:61 writes API_CREDS_FILE
Network	`READ`	`READ`	✓ Aligned	skill.py:203-245 GET requests to gamma-api.polymarket.com; skill.py:304 POST to …
Environment	`READ`	`READ`	✓ Aligned	skill.py:30 os.environ.get('POLYMARKET_PRIVATE_KEY') and 'POLYMARKET_PROXY_ADDRE…
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found

7 findings

🔗

Medium External URL 外部 URL

https://gamma-api.polymarket.com/events/pagination

SKILL.md:192

🔗

Medium External URL 外部 URL

https://data-api.polymarket.com/positions

SKILL.md:193

🔗

Medium External URL 外部 URL

https://clob.polymarket.com

SKILL.md:194

💰

Medium Wallet Address 加密货币钱包地址

0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174

skill.py:17

🔗

Medium External URL 外部 URL

https://polygon-rpc.com

skill.py:18

🔗

Medium External URL 外部 URL

https://polymarket.com/event/

skill.py:241

🔗

Medium External URL 外部 URL

https://gamma-api.polymarket.com/events/slug/

skill.py:245

File Tree

5 files · 22.2 KB · 711 lines

Python 1f · 489L Markdown 1f · 194L TOML 1f · 20L JSON 1f · 5L Text 1f · 3L

├─ 📋 _meta.json JSON 5L · 139 B

├─ 📄 pyproject.toml TOML 20L · 384 B

├─ 📄 requirements.txt Text 3L · 71 B

├─ 📝 SKILL.md Markdown 194L · 4.9 KB

└─ 🐍 skill.py Python 489L · 16.8 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`requests`	`>=2.31.0`	pip	No	Minimum version pinned, no upper bound
`py-clob-client`	`>=1.5.0`	pip	No	Minimum version pinned, no upper bound; official Polymarket SDK

Security Positives

✓ Private key is never transmitted over the network - only used locally for signing via py-clob-client

✓ All network requests go to explicitly declared Polymarket endpoints (gamma-api, data-api, clob, polygon-rpc)

✓ SKILL.md documents credential handling in detail, including security warnings for using dedicated wallets

✓ API credentials are auto-generated and cached locally rather than requiring manual entry

✓ Skill uses standard requests library with proper timeout values

✓ No subprocess, shell execution, or dynamic code evaluation (eval, exec) found

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ Filesystem access is scoped to ~/.openclaw/credentials/ directory, a dedicated skill credential store

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives