← 返回 Skills 市场
Polymarket Arbitrage Cn
作者
Guohongbin
· GitHub ↗
· v1.0.0
628
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install polymarket-arbitrage-cn
功能描述
Polymarket 套利 | Polymarket Arbitrage. 预测市场套利机会 | Prediction market arbitrage opportunities. 自动发现价格差异 | Auto discover price differences. 触发词:Polymarket、预测市场、套...
安全使用建议
This skill appears to do what it claims: scrape Polymarket homepages, detect simple arbitrage opportunities, and save/alert locally. Before running it: (1) Start in paper-trade mode as recommended and inspect the output files in ./polymarket_data. (2) Run inside a Python virtualenv and review the scripts yourself. (3) Be cautious when running monitor.py with non-default arguments: monitor.py builds shell command strings and calls subprocess.run(shell=True) using paths that can include user-supplied values (e.g., --data-dir). Avoid passing untrusted inputs containing shell metacharacters; if you want to be extra safe, run the single-run mode (--once) or modify run_command to use a list of args (shell=False). (4) Understand scraping limitations: homepage percentages may be midpoints and not executable orderbook prices — the skill itself documents this risk. (5) Do not plug in wallet private keys or automation until you have thoroughly validated results with manual trades; the code does not manage private keys, and automating execution introduces substantial additional risk.
功能分析
Type: OpenClaw Skill
Name: polymarket-arbitrage-cn
Version: 1.0.0
The skill bundle is classified as suspicious due to a critical shell injection vulnerability in `scripts/monitor.py`. The `subprocess.run` calls use `shell=True` with command strings that incorporate user-controlled arguments like `--data-dir` and `--min-edge`. This allows an attacker to inject arbitrary shell commands, leading to remote code execution. While the `--alert-webhook` parameter allows for external data transmission, the current code does not implement the actual HTTP request for alerts, only printing a message, and its stated purpose is legitimate alerting. The shell injection is a severe vulnerability, but it appears to be an unintentional flaw rather than intentional malicious design.
能力评估
Purpose & Capability
Name/description, SKILL.md, and included scripts all focus on finding arbitrage on Polymarket by scraping the site, detecting math arbs, and monitoring — the requested files, data storage, and optional webhook are coherent with that purpose. No unrelated environment variables, binaries, or external services are required.
Instruction Scope
SKILL.md instructs running the included Python scripts and storing results locally, which is appropriate. The monitor script prints alerts and can accept a webhook URL but does not itself post to external services (it only prints a 'Would send' message). One implementation detail: monitor.py constructs shell command strings and runs them with subprocess.run(shell=True), embedding user-controlled arguments (like --data-dir if provided). That can be a source of command injection if a user supplies maliciously crafted arguments when invoking the monitor. Functionally this does not contradict the skill purpose, but it's an implementation risk to be aware of.
Install Mechanism
No automatic install spec; SKILL.md advises installing Python dependencies with pip (requests, beautifulsoup4). No downloads from arbitrary URLs or archive extraction. This is low-risk and proportionate to the skill.
Credentials
The skill requests no environment variables, no credentials, and stores data locally under ./polymarket_data by default. References to wallet/private-key management are only in documentation for a future automation phase and are not required by the supplied scripts.
Persistence & Privilege
always is false, the skill is user-invocable only, and it does not attempt to modify other skills or system-wide settings. It persists its own monitoring state in a local data directory (polymarket_data), which is expected behavior.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install polymarket-arbitrage-cn - 安装完成后,直接呼叫该 Skill 的名称或使用
/polymarket-arbitrage-cn触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Polymarket prediction market arbitrage discovery tool
元数据
常见问题
Polymarket Arbitrage Cn 是什么?
Polymarket 套利 | Polymarket Arbitrage. 预测市场套利机会 | Prediction market arbitrage opportunities. 自动发现价格差异 | Auto discover price differences. 触发词:Polymarket、预测市场、套... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 628 次。
如何安装 Polymarket Arbitrage Cn?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install polymarket-arbitrage-cn」即可一键安装,无需额外配置。
Polymarket Arbitrage Cn 是免费的吗?
是的,Polymarket Arbitrage Cn 完全免费(开源免费),可自由下载、安装和使用。
Polymarket Arbitrage Cn 支持哪些平台?
Polymarket Arbitrage Cn 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Polymarket Arbitrage Cn?
由 Guohongbin(@guohongbin-git)开发并维护,当前版本 v1.0.0。
推荐 Skills