← Back to Skills Marketplace
Wangbo Polymarket Copytrading
by
wangbo12bob2-source
· GitHub ↗
· v0.2.0
407
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install wangbo-polymarket-copytrading
Description
Build and run Polymarket copy-trading workflows (trader discovery, peak/decline cycle detection, candidate ranking, risk limits, and execution handoff). Use...
Usage Guidance
Before installing or running this skill: (1) Recognize that the scripts can place real Polymarket orders when run with --execute — do not run with --execute unless you fully trust the code and environment. (2) Confirm where signing keys live (polymarket CLI, local key store, or env vars) and never expose private keys to untrusted code. (3) Require the author to update metadata/SKILL.md to declare required binaries (polymarket, curl) and the exact credential model needed, and add explicit warnings about financial risk. (4) Test with dry-run only and inspect the polymarket CLI commands that will be executed; run in an isolated environment or with empty/funding-free accounts first. (5) If you need to allow autonomous invocation, restrict permissions and review how the agent obtains confirmations before executing orders.
Capability Analysis
Type: OpenClaw Skill
Name: wangbo-polymarket-copytrading
Version: 0.2.0
The skill bundle is designed for automated Polymarket copy-trading. The `scripts/auto_copytrade.py` script contains a command injection vulnerability. It constructs commands for an external `polymarket` CLI tool using values directly from the `references/auto-copytrade-config.example.json` configuration file. If an attacker could control the content of this configuration file (e.g., via a supply chain attack or prompt injection against the agent to modify the config or its path), they could inject arbitrary shell commands, leading to Remote Code Execution (RCE) and unauthorized financial transactions. This is a critical vulnerability, but not evidence of intentional malice within the skill's core logic.
Capability Assessment
Purpose & Capability
The skill claims to build/run Polymarket copy-trading workflows and the scripts do exactly that (fetch leaderboard data, evaluate traders, and place orders). HOWEVER the registry metadata declares no required binaries or credentials even though the code invokes 'curl' and a 'polymarket' CLI (polymarket markets get, polymarket clob market-order). The absence of those requirements in metadata is an incoherence: either the skill owner omitted required prerequisites, or the skill expects the agent environment to already hold signing keys/configs (a sensitive implicit dependency).
Instruction Scope
SKILL.md instructs running the included scripts and describes dry-run vs execute flags, but it does not mention the need for the polymarket CLI, curl, or where signing credentials come from. The runtime instructions allow running the scripts with --execute which will call an external CLI to place market orders — a high-impact action. The instructions do not warn about or require explicit confirmation of privileged signing credentials or funding, nor do they document which endpoints/CLIs will be used to sign and send orders.
Install Mechanism
There is no install spec (instruction-only plus included scripts), so nothing is downloaded at install time — this is lower risk for code injection. However, runtime requires external binaries (curl and the polymarket CLI). The absence of an install step or documentation for obtaining the polymarket CLI is a usability/security gap: users may unknowingly run code that depends on preinstalled tools which can access local keys.
Credentials
Registry metadata lists no required environment variables or credentials, but the auto-copy config includes wallet addresses and the code calls a CLI that likely uses local signing keys or environment-based credentials. The scripts can perform signed market orders when invoked with --execute, which implies access to private keys or signing infrastructure; the skill does not declare, justify, or constrain access to those secrets. That mismatch is disproportionate for the published metadata and hides a sensitive requirement.
Persistence & Privilege
The skill is not always:true and does not request persistent/automatic inclusion. It does allow autonomous model invocation by default (normal), but there is no evidence the skill modifies other skills or system-wide agent settings. The main privilege concern is operational (placing real orders) rather than persistent installation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wangbo-polymarket-copytrading - After installation, invoke the skill by name or use
/wangbo-polymarket-copytrading - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.0
Add auto monitor loop + threshold-based order execution script and config example
v0.1.0
Initial release: trader scan + peak/strong phase detection + risk template
Metadata
Frequently Asked Questions
What is Wangbo Polymarket Copytrading?
Build and run Polymarket copy-trading workflows (trader discovery, peak/decline cycle detection, candidate ranking, risk limits, and execution handoff). Use... It is an AI Agent Skill for Claude Code / OpenClaw, with 407 downloads so far.
How do I install Wangbo Polymarket Copytrading?
Run "/install wangbo-polymarket-copytrading" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Wangbo Polymarket Copytrading free?
Yes, Wangbo Polymarket Copytrading is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Wangbo Polymarket Copytrading support?
Wangbo Polymarket Copytrading is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Wangbo Polymarket Copytrading?
It is built and maintained by wangbo12bob2-source (@wangbo12bob2-source); the current version is v0.2.0.
More Skills