Polymarket Monitor

Monitor Polymarket prediction markets and alert when odds cross a threshold. Use when a user wants to track any Polymarket market probability, set up recurri...

This skill appears internally consistent and low-risk: it fetches public Polymarket endpoints and posts alerts via the agent's messaging tool. Before installing, consider: (1) the agent will create recurring cron jobs that make network requests and can send Slack DMs — confirm you trust the agent's Slack integration and that the message tool has only the permissions you expect; (2) test with a low-frequency schedule and a safe/test Slack channel or user ID; (3) you can run the included Python script locally first to verify behavior; (4) the package has no homepage and an unknown owner—if provenance matters to you, ask the publisher for more information. If you decide to proceed, ensure you know how to cancel the cron job (cron remove <id>) and verify the agent's delivery and alerting behavior on initial runs.

Type: OpenClaw Skill Name: polymarket-monitor Version: 1.0.1 The skill is classified as suspicious due to a critical shell injection vulnerability identified in `SKILL.md`. In Workflow Step 1, the instruction `curl "https://gamma-api.polymarket.com/events?search=<topic>&limit=10&active=true"` directly embeds user-controlled `<topic>` into a shell command. If the AI agent executes this `curl` command without proper sanitization or escaping of the `<topic>` input, it could lead to arbitrary command execution (RCE). While the `scripts/check_markets.py` file demonstrates good input validation for `conditionId` arguments, this does not mitigate the shell injection risk present in the `SKILL.md` instructions for the agent. There is no evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints or persistence mechanisms.