← 返回 Skills 市场
261
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install poly-cli
功能描述
Operate Polymarket from terminal with the `polymarket` Rust CLI (v0.1.5). Covers market/event/tag/series discovery, CLOB order book queries (single & batch),...
安全使用建议
This skill is coherent with being a Polymarket CLI helper, but it raises red flags you should address before installing or letting an agent run it:
- Do not blindly run curl | sh from raw.githubusercontent.com; inspect the install.sh contents yourself or prefer Homebrew/git+cargo builds from the upstream repo.
- The skill metadata declares no credentials, yet the tool needs wallet private keys and can manage API keys and perform on-chain writes. Treat any request for a private key as high-risk: never paste your primary/private key into an agent. Prefer read-only queries or use an ephemeral/test wallet with minimal funds for any automated actions.
- Confirm the upstream repository and release artifacts (GitHub repo, tags/releases) and verify checksums/signatures where possible.
- Require explicit, per-action user confirmation for any write operation (orders, approvals, wallet reset, bridge deposit, API-key creation/deletion). Consider providing only read-only functionality to the agent if you cannot fully vet the install and code.
- If you need this skill, ask the publisher for a homepage/repo release URL and a reproducible install method (signed release or package) and add required env/config declarations (POLYMARKET_PRIVATE_KEY, config path) so permissions are explicit.
If you want, I can: (1) fetch and show the contents of the recommended install.sh for review (do not execute it), (2) produce a safe checklist to install the CLI manually, or (3) rewrite the skill instructions to avoid piping remote scripts and to explicitly demand user confirmation before any secret/transactional action.
功能分析
Type: OpenClaw Skill
Name: poly-cli
Version: 0.1.5
The skill provides a CLI interface for Polymarket that handles sensitive operations, including importing and overriding private keys via command-line arguments and configuration files (SKILL.md, commands.md). It explicitly directs the agent to install software using a high-risk 'curl | sh' pattern from a remote GitHub repository (https://raw.githubusercontent.com/Polymarket/polymarket-cli/main/install.sh), which is a common vector for supply chain attacks and arbitrary code execution. While these capabilities are functionally relevant to a trading tool, the combination of raw credential handling and unverified remote script execution presents a significant security risk.
能力评估
Purpose & Capability
The name/description (Polymarket CLI) matches the SKILL.md: it documents many read and write CLI operations for Polymarket. However, many of those operations legitimately require signing credentials (private keys) and access to local config, but the skill's metadata declares no required environment variables or config paths — an omission that makes the declared purpose incomplete in the metadata.
Instruction Scope
SKILL.md explicitly instructs running commands that can expose or use secrets (wallet show, approve set, create-order, bridge deposit, create-api-key) and references private-key handling. It also recommends installing via piping a remote install script to sh. The instructions reference a config path (~/.config/polymarket/config.json) and an env var (POLYMARKET_PRIVATE_KEY) even though the skill metadata lists none — the agent could be instructed to read those secrets or to accept a --private-key value, so the runtime scope reaches beyond what's declared.
Install Mechanism
There is no formal install spec, but the runtime doc encourages: curl -sSL https://raw.githubusercontent.com/Polymarket/polymarket-cli/main/install.sh | sh. Piping an arbitrary remote script to sh is high-risk. Alternatives (Homebrew, git + cargo) are more transparent, but the primary suggested one-liner is a risky pattern and should be reviewed before execution.
Credentials
The metadata lists no required env vars, yet the docs mention --private-key, POLYMARKET_PRIVATE_KEY, and a local config file as canonical private-key sources. The skill will operate on sensitive assets (wallet keys, approvals, on-chain txs) and manage API keys; those require explicit declaration and user consent. This mismatch increases risk of accidental secret exposure.
Persistence & Privilege
always:false (no forced persistence) and default autonomous invocation are fine. The skill can perform write operations (including wallet reset and key/API-key management) if run — but there is no indication it alters other skills or requests permanent system privileges. Still, combine this with the install/script and secret-handling concerns.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install poly-cli - 安装完成后,直接呼叫该 Skill 的名称或使用
/poly-cli触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.5
v0.1.5: Full command coverage (~100 commands across 10 sections), batch queries, order types (GTC/FOK/GTD/FAK), bridge, rewards, sports metadata, troubleshooting guide
元数据
常见问题
Polymarket CLI 是什么?
Operate Polymarket from terminal with the `polymarket` Rust CLI (v0.1.5). Covers market/event/tag/series discovery, CLOB order book queries (single & batch),... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 261 次。
如何安装 Polymarket CLI?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install poly-cli」即可一键安装,无需额外配置。
Polymarket CLI 是免费的吗?
是的,Polymarket CLI 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Polymarket CLI 支持哪些平台?
Polymarket CLI 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Polymarket CLI?
由 seandong(@seandong)开发并维护,当前版本 v0.1.5。
推荐 Skills