Polymarket Whale Copier

Copy trade winning Polymarket wallets automatically. Track whale wallets, mirror their bets at configurable percentages, with built-in risk management. No API keys needed.

This package is 'suspicious' rather than clearly malicious: it mostly contains readable code and only talks to Polymarket and a Polygon RPC, but it has several inconsistencies you should consider before installing or running with real funds. Key points: - Do not export or paste your real private key into POLYMARKET_KEY unless you fully trust and understand the code. The registry did not declare any required secret, but the Quick Start and copy_trader.py expect a private key. - The skill advertises automatic order execution and auto-redeem, but the code's execute_trade is a placeholder and auto-redeem only prints instructions; live trading / signing is not implemented. Do not assume it will place or redeem trades for you. - The code derives a wallet address by hashing the private key (not a correct eth derivation) — this is a poor implementation choice and suggests the author cut corners; prefer software using a standard web3 library for signing. - Network activity is limited to data-api.polymarket.com and polygon-rpc.com; there is no obvious exfiltration endpoint, but lack of declared credentials and inconsistent env var names (POLYMARKET_KEY vs POLYMARKET_WALLET) reduce transparency. Recommended actions: - If you want to try it, run only in dry_run mode (config.json default) and on an isolated/test environment with a throwaway wallet funded with minimal funds. - Inspect and, if necessary, replace the wallet-derivation and signing code with a standard, audited web3 library before attempting live trades. - Ask the publisher to update the registry metadata to declare the required credential(s) and to clarify differences between POLYMARKET_KEY and POLYMARKET_WALLET; request implementation of real signing/placement or remove misleading claims. - Prefer open-source tools that explicitly disclose how they handle keys (e.g., local signing only, never transmitted) and that implement signing with well-known libraries. If you are not comfortable auditing code yourself, do not provide your private key and avoid enabling live trading.

Type: OpenClaw Skill Name: polymarket-whale-copier Version: 1.0.0 The skill bundle is classified as suspicious due to its handling of sensitive user data and a critical functional flaw. The `SKILL.md` instructs the user to provide a `POLYMARKET_KEY` (private key) as an environment variable, which is then read by `scripts/copy_trader.py`. While the script makes legitimate network calls to Polymarket APIs, it contains a severe bug in `scripts/copy_trader.py`'s `_derive_wallet` function that incorrectly derives the Ethereum wallet address, rendering it non-functional for actual trading. Crucially, `scripts/copy_trader.py` explicitly states '⚠️ Live trading not implemented - use Polymarket CLOB API', meaning it cannot execute trades even if the private key derivation were correct. This combination of requesting a private key for a non-functional trading script, coupled with the potential for future malicious implementation if the 'not implemented' flag is removed, makes it suspicious.