← Back to Skills Marketplace
Polymarket Arbitrage Cn
by
Guohongbin
· GitHub ↗
· v1.0.0
628
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install polymarket-arbitrage-cn
Description
Polymarket 套利 | Polymarket Arbitrage. 预测市场套利机会 | Prediction market arbitrage opportunities. 自动发现价格差异 | Auto discover price differences. 触发词:Polymarket、预测市场、套...
Usage Guidance
This skill appears to do what it claims: scrape Polymarket homepages, detect simple arbitrage opportunities, and save/alert locally. Before running it: (1) Start in paper-trade mode as recommended and inspect the output files in ./polymarket_data. (2) Run inside a Python virtualenv and review the scripts yourself. (3) Be cautious when running monitor.py with non-default arguments: monitor.py builds shell command strings and calls subprocess.run(shell=True) using paths that can include user-supplied values (e.g., --data-dir). Avoid passing untrusted inputs containing shell metacharacters; if you want to be extra safe, run the single-run mode (--once) or modify run_command to use a list of args (shell=False). (4) Understand scraping limitations: homepage percentages may be midpoints and not executable orderbook prices — the skill itself documents this risk. (5) Do not plug in wallet private keys or automation until you have thoroughly validated results with manual trades; the code does not manage private keys, and automating execution introduces substantial additional risk.
Capability Analysis
Type: OpenClaw Skill
Name: polymarket-arbitrage-cn
Version: 1.0.0
The skill bundle is classified as suspicious due to a critical shell injection vulnerability in `scripts/monitor.py`. The `subprocess.run` calls use `shell=True` with command strings that incorporate user-controlled arguments like `--data-dir` and `--min-edge`. This allows an attacker to inject arbitrary shell commands, leading to remote code execution. While the `--alert-webhook` parameter allows for external data transmission, the current code does not implement the actual HTTP request for alerts, only printing a message, and its stated purpose is legitimate alerting. The shell injection is a severe vulnerability, but it appears to be an unintentional flaw rather than intentional malicious design.
Capability Assessment
Purpose & Capability
Name/description, SKILL.md, and included scripts all focus on finding arbitrage on Polymarket by scraping the site, detecting math arbs, and monitoring — the requested files, data storage, and optional webhook are coherent with that purpose. No unrelated environment variables, binaries, or external services are required.
Instruction Scope
SKILL.md instructs running the included Python scripts and storing results locally, which is appropriate. The monitor script prints alerts and can accept a webhook URL but does not itself post to external services (it only prints a 'Would send' message). One implementation detail: monitor.py constructs shell command strings and runs them with subprocess.run(shell=True), embedding user-controlled arguments (like --data-dir if provided). That can be a source of command injection if a user supplies maliciously crafted arguments when invoking the monitor. Functionally this does not contradict the skill purpose, but it's an implementation risk to be aware of.
Install Mechanism
No automatic install spec; SKILL.md advises installing Python dependencies with pip (requests, beautifulsoup4). No downloads from arbitrary URLs or archive extraction. This is low-risk and proportionate to the skill.
Credentials
The skill requests no environment variables, no credentials, and stores data locally under ./polymarket_data by default. References to wallet/private-key management are only in documentation for a future automation phase and are not required by the supplied scripts.
Persistence & Privilege
always is false, the skill is user-invocable only, and it does not attempt to modify other skills or system-wide settings. It persists its own monitoring state in a local data directory (polymarket_data), which is expected behavior.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install polymarket-arbitrage-cn - After installation, invoke the skill by name or use
/polymarket-arbitrage-cn - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Polymarket prediction market arbitrage discovery tool
Metadata
Frequently Asked Questions
What is Polymarket Arbitrage Cn?
Polymarket 套利 | Polymarket Arbitrage. 预测市场套利机会 | Prediction market arbitrage opportunities. 自动发现价格差异 | Auto discover price differences. 触发词:Polymarket、预测市场、套... It is an AI Agent Skill for Claude Code / OpenClaw, with 628 downloads so far.
How do I install Polymarket Arbitrage Cn?
Run "/install polymarket-arbitrage-cn" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Polymarket Arbitrage Cn free?
Yes, Polymarket Arbitrage Cn is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Polymarket Arbitrage Cn support?
Polymarket Arbitrage Cn is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Polymarket Arbitrage Cn?
It is built and maintained by Guohongbin (@guohongbin-git); the current version is v1.0.0.
More Skills