← 返回 Skills 市场
340
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install mgnlia-polymarket
功能描述
Browse, trade, and manage positions on Polymarket prediction markets via the polymarket CLI. Use when: user asks about prediction market odds, wants to searc...
安全使用建议
This package implements the promised Polymarket CLI utilities and an expiry-arbitrage scanner, but take precautions before installing or running it:
- Review install scripts before running: install.sh and the SKILL.md recommend piping remote scripts into sh (raw.githubusercontent.com and rustup.sh). Only run them if you trust the source and have inspected the script contents.
- Treat wallet private keys as sensitive: do not paste or import private keys into software or agent environments you don't control. Prefer hardware wallets or ephemeral wallets and only enable trading in a locked-down environment.
- The TypeScript scanner calls the shell with a user-supplied query interpolated into the command; that can lead to command injection if untrusted input is used. If you run the script, only pass trusted queries or modify the code to properly escape/sanitize inputs (avoid unescaped shell interpolation; use execFile or pass args array).
- Running npx/tsx may download packages at runtime—consider installing dependencies locally or running inside an isolated container/VM.
- If you only need read-only features, avoid running wallet/setup commands and restrict network/privilege exposure.
If you want to proceed: inspect scripts/install.sh and expiry-arb.ts fully, run installation in an isolated environment (container or VM), and never expose private keys to untrusted processes.
功能分析
Type: OpenClaw Skill
Name: mgnlia-polymarket
Version: 1.1.0
The skill bundle contains a shell injection vulnerability in 'scripts/expiry-arb.ts', where the user-provided 'query' argument is passed unsanitized to a shell command via 'execSync'. Additionally, 'scripts/install.sh' employs the risky 'curl | sh' pattern to execute a remote script from GitHub. While these are critical security flaws (RCE risks), they appear to be unintentional vulnerabilities rather than intentional malware, as the bundle's logic consistently supports its stated purpose of Polymarket trading.
能力评估
Purpose & Capability
Name, description, and included scripts (search, get-market, price checks, expiry-arb) are coherent with a Polymarket CLI/arb scanner; required files and commands (polymarket binary, parsing JSON) match the stated purpose.
Instruction Scope
Runtime instructions and scripts rely heavily on shell execution of the `polymarket` binary and explicitly instruct interactive wallet setup/import (which requires private keys). The TypeScript scanner executes a shell command built by interpolating the user query into execSync without escaping, creating a potential command-injection vector if untrusted input is used. The SKILL.md also recommends piping a remote install script into sh (curl | sh). These behaviors are within the broad purpose but introduce actionable risks that are not mitigated in the instructions.
Install Mechanism
There is no centralized install spec, but scripts/install.sh and SKILL.md instruct using remote installers: raw.githubusercontent.com (curl | sh), git clone from GitHub, and rustup (curl | sh). These are well-known hosts but piping remote scripts to sh and invoking rustup remotely is inherently risky and should be reviewed prior to execution. The TypeScript script uses npx/tsx (runtime npm fetch).
Credentials
The skill declares no required environment variables or credentials. Wallet operations documented (wallet import, approve set) legitimately require private keys/MATIC for trading and are optional for read-only operations. However, the skill and docs suggest entering private keys directly into CLI commands; users should avoid supplying keys to untrusted environments.
Persistence & Privilege
Skill flags are standard (always:false). The skill does not request persistent platform privileges or modify other skills. It references user config at ~/.config/polymarket/config.json and sources $HOME/.cargo/env—expected for this tool.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mgnlia-polymarket - 安装完成后,直接呼叫该 Skill 的名称或使用
/mgnlia-polymarket触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Full CLI reference, expiry arb scanner, helper scripts, install automation
v1.0.0
Initial release — CLI reference, expiry arb scanner, helper scripts
元数据
常见问题
Polymarket CLI & Arb Scanner 是什么?
Browse, trade, and manage positions on Polymarket prediction markets via the polymarket CLI. Use when: user asks about prediction market odds, wants to searc... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 340 次。
如何安装 Polymarket CLI & Arb Scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mgnlia-polymarket」即可一键安装,无需额外配置。
Polymarket CLI & Arb Scanner 是免费的吗?
是的,Polymarket CLI & Arb Scanner 完全免费(开源免费),可自由下载、安装和使用。
Polymarket CLI & Arb Scanner 支持哪些平台?
Polymarket CLI & Arb Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Polymarket CLI & Arb Scanner?
由 guzus(@guzus)开发并维护,当前版本 v1.1.0。
推荐 Skills