← Back to Skills Marketplace
Polymarket Oracle
by
Wesley Armando
· GitHub ↗
· v1.0.1
467
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install polymarket-oracle
Description
Multi-strategy arbitrage and trading bot for Polymarket prediction markets. Scans ALL markets (crypto, politics, sports, economics, entertainment) for parity...
Usage Guidance
This package implements a real-money trading bot and needs your Polymarket API key/secret/passphrase — that part is expected. Key concerns: (1) The manifest metadata is inconsistent with the SKILL.md/code (metadata claims no env vars but the code requires credentials). (2) The docs both tell you NOT to store your WALLET_PRIVATE_KEY on the server and then provide a systemd example that embeds it into the service file/credentials file — do not follow that example. Best practices before installing: generate Polymarket API keys locally using your wallet private key, then provide only the API_KEY/SECRET/PASSPHRASE to the running bot; never put your wallet private key on the server or in systemd Environment lines. Run the bot in simulation mode first; review the full code yourself (or have a trusted reviewer) to confirm it only uses the API keys for trading and does not exfiltrate credentials. If you proceed, store credentials in a tightly permissioned EnvironmentFile (chmod 600 root:root), avoid embedding secrets in unit files, and consider running within an isolated VM/container with restricted network access and monitoring. If you want greater assurance, ask the author to fix the manifest (declare required env vars and remove contradictory examples) and to remove any examples that recommend embedding private keys in service units.
Capability Analysis
Type: OpenClaw Skill
Name: polymarket-oracle
Version: 1.0.1
The Python code (`polymarket_oracle.py`) itself appears benign, adhering to declared network behaviors and not using the `WALLET_PRIVATE_KEY` at runtime for trading, despite reading it from environment variables. However, the documentation contains a critical vulnerability: `README.md` and `SYSTEMD_SETUP.md` explicitly instruct users to set `WALLET_PRIVATE_KEY` as an environment variable on the server, directly contradicting the strong security warnings in `SKILL.md` and `CONFIGURATION.md` that state it's 'ONLY for initial API key creation, not runtime'. This inconsistency could lead users to unnecessarily expose their wallet private key on the server, creating a significant security risk if the server is compromised.
Capability Assessment
Purpose & Capability
The name/description (Polymarket arbitrage bot) match the included code and runtime behavior (scanning Polymarket APIs and placing orders). Requiring POLYMARKET_API_KEY/SECRET/PASSPHRASE is appropriate for trading. However the registry metadata claimed no required env/configs while SKILL.md and code require API credentials — a mismatch in metadata vs implementation.
Instruction Scope
Runtime instructions and docs explicitly instruct reading/writing credentials files (e.g., /etc/polymarket-oracle/credentials.env), creating API keys using a wallet private key, and show a systemd unit that embeds secrets. The docs both warn against storing the WALLET_PRIVATE_KEY on the server and simultaneously provide a systemd example that places WALLET_PRIVATE_KEY in Environment lines (contradiction). The instructions therefore allow (and even encourage, via the service example) storing highly sensitive secrets on the running host — scope creep beyond a scanner-only role.
Install Mechanism
There is no automated install spec (instruction-only install), and the code uses only the Python standard library at runtime. The README/config suggest optionally installing py-clob-client locally to create API keys; this is reasonable. No arbitrary network-installs or downloads from suspicious hosts are present in the manifest. Risk is primarily operational (how user deploys), not from a packaged installer.
Credentials
Requesting Polymarket API_KEY/SECRET/PASSPHRASE is proportionate to trading. However the presence of WALLET_PRIVATE_KEY in multiple places (env docs, systemd service example, credentials file examples) is problematic: the project alternately says 'only use private key locally once' and then shows ways to put the private key on the server/service. Registry metadata omitted required env vars entirely, increasing confusion. The skill thus mixes appropriate credential requests with instructions that could expose full-wallet private keys — disproportionate if the intent is only to run trades via API keys.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. The documentation strongly encourages running the bot as a systemd service (enable on boot, auto-restart) which increases persistence on a host — normal for a trading bot. Combined with the unsafe secret-handling examples, persistent deployment increases the blast radius if secrets are stored insecurely.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install polymarket-oracle - After installation, invoke the skill by name or use
/polymarket-oracle - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Changed env var requirements: now POLYMARKET_API_KEY, POLYMARKET_SECRET, POLYMARKET_PASSPHRASE are required; TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, WALLET_PRIVATE_KEY are optional or only needed for specific actions.
- Updated SKILL.md metadata to clarify which environment variables are required versus optional, and for what purpose.
- No changes to bot strategies or core functionality.
v1.0.0
Initial release of Polymarket Oracle — a multi-strategy trading bot for Polymarket prediction markets.
- Scans all Polymarket markets (crypto, politics, sports, economics, etc.) for arbitrage and trading opportunities.
- Implements six strategies: parity arbitrage, logical arbitrage, tail-end trading, market making, latency arbitrage, and AI-powered combinatorial arbitrage.
- Sends real-time alerts to Telegram about detected opportunities and performance.
- Features automated market categorization, configurable capital allocation, and built-in risk management with circuit breakers.
- Supports high-speed parallel scanning and order placement using authenticated API and WebSocket connections with secure credential handling.
Metadata
Frequently Asked Questions
What is Polymarket Oracle?
Multi-strategy arbitrage and trading bot for Polymarket prediction markets. Scans ALL markets (crypto, politics, sports, economics, entertainment) for parity... It is an AI Agent Skill for Claude Code / OpenClaw, with 467 downloads so far.
How do I install Polymarket Oracle?
Run "/install polymarket-oracle" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Polymarket Oracle free?
Yes, Polymarket Oracle is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Polymarket Oracle support?
Polymarket Oracle is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Polymarket Oracle?
It is built and maintained by Wesley Armando (@georges91560); the current version is v1.0.1.
More Skills