Polymarket Sniper Bot (Standalone)

An autonomous trading agent for Polymarket (Polygon). Scans 15-minute markets for momentum and trades automatically. Includes dashboard, simulation mode, and...

This package looks like a real Polymarket sniper bot, but several things don't add up and you should be cautious: - Secrets and configuration: The bot needs a polygon RPC URL, wallet_private_key, and Polymarket CLOB API keys (these live in config.yaml). Do NOT put real/mainnet funds or your primary wallet private key in config.yaml until you fully trust the code — test with a burner wallet. The registry metadata did not declare these envs/credentials, so assume the publisher omitted them by mistake or intentionally. - License / remote contact: The code will POST PRO_LICENSE_KEY to LICENSE_SERVER to validate a 'Pro' license. This env var and server are not documented in the registry metadata. If you set a non-local LICENSE_SERVER it will transmit the PRO key over the network (note default is http:// not https). Only set PRO_LICENSE_KEY and LICENSE_SERVER if you trust the destination; otherwise leave unset (the code then runs in simulation mode). - Bootstrap risks: bootstrap.sh runs pip3 install -r requirements.txt with --break-system-packages and unpinned packages. That can modify your system Python environment. Prefer installing inside a controlled virtualenv, container, or isolated VM; consider pinning package versions and auditing dependencies before installing. - Dashboard exposure: The Flask dashboard listens on 0.0.0.0:5000 by default. Do not expose this port to the public internet; restrict access (firewall, SSH tunnel) if you run it on a remote server. - Incoherent docs vs behavior: DEPLOYMENT.md says enable live_trading via config.yaml, but the code gates live trading by validating a PRO license. Clarify this mismatch with the author before trusting 'live' mode. Recommended steps before running with real funds: 1) Review config.yaml.example and the code paths that send external requests (LICENSE_SERVER, GAMMA_API, CLOB_API, Discord webhook). 2) Run in simulation mode with a burner wallet and watch behavior. 3) Run inside an isolated environment (container/VM/virtualenv) and pin dependencies. 4) Consider replacing or validating LICENSE_SERVER with a safe value (or unset PRO_LICENSE_KEY). 5) If unsure about the source (homepage unknown), prefer not to run with real keys/funds.

Type: OpenClaw Skill Name: polymarket-sniper-bot-standalone Version: 1.0.1 The Polymarket Sniper Bot exhibits several high-risk discrepancies and dangerous behaviors. Most notably, there is a significant contradiction between the documentation and the implementation: while DEPLOYMENT.md and TROUBLESHOOTING.md instruct users to enable live trading via 'pro_mode' or 'live_trading' flags in config.yaml, the code in polymarket.py ignores these and instead enforces a license check against a LICENSE_SERVER (defaulting to localhost:8080) using a PRO_LICENSE_KEY environment variable. Furthermore, polymarket.py contains a dangerous fallback in calculate_momentum() that mocks a 3% price gain if API data is unavailable, which would trigger automated trades on every scanned market during API failures. Finally, the bootstrap.sh script uses the aggressive --break-system-packages flag, which can compromise the host's Python environment.