← 返回 Skills 市场
Wangbo Polymarket Copytrading
作者
wangbo12bob2-source
· GitHub ↗
· v0.2.0
407
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install wangbo-polymarket-copytrading
功能描述
Build and run Polymarket copy-trading workflows (trader discovery, peak/decline cycle detection, candidate ranking, risk limits, and execution handoff). Use...
安全使用建议
Before installing or running this skill: (1) Recognize that the scripts can place real Polymarket orders when run with --execute — do not run with --execute unless you fully trust the code and environment. (2) Confirm where signing keys live (polymarket CLI, local key store, or env vars) and never expose private keys to untrusted code. (3) Require the author to update metadata/SKILL.md to declare required binaries (polymarket, curl) and the exact credential model needed, and add explicit warnings about financial risk. (4) Test with dry-run only and inspect the polymarket CLI commands that will be executed; run in an isolated environment or with empty/funding-free accounts first. (5) If you need to allow autonomous invocation, restrict permissions and review how the agent obtains confirmations before executing orders.
功能分析
Type: OpenClaw Skill
Name: wangbo-polymarket-copytrading
Version: 0.2.0
The skill bundle is designed for automated Polymarket copy-trading. The `scripts/auto_copytrade.py` script contains a command injection vulnerability. It constructs commands for an external `polymarket` CLI tool using values directly from the `references/auto-copytrade-config.example.json` configuration file. If an attacker could control the content of this configuration file (e.g., via a supply chain attack or prompt injection against the agent to modify the config or its path), they could inject arbitrary shell commands, leading to Remote Code Execution (RCE) and unauthorized financial transactions. This is a critical vulnerability, but not evidence of intentional malice within the skill's core logic.
能力评估
Purpose & Capability
The skill claims to build/run Polymarket copy-trading workflows and the scripts do exactly that (fetch leaderboard data, evaluate traders, and place orders). HOWEVER the registry metadata declares no required binaries or credentials even though the code invokes 'curl' and a 'polymarket' CLI (polymarket markets get, polymarket clob market-order). The absence of those requirements in metadata is an incoherence: either the skill owner omitted required prerequisites, or the skill expects the agent environment to already hold signing keys/configs (a sensitive implicit dependency).
Instruction Scope
SKILL.md instructs running the included scripts and describes dry-run vs execute flags, but it does not mention the need for the polymarket CLI, curl, or where signing credentials come from. The runtime instructions allow running the scripts with --execute which will call an external CLI to place market orders — a high-impact action. The instructions do not warn about or require explicit confirmation of privileged signing credentials or funding, nor do they document which endpoints/CLIs will be used to sign and send orders.
Install Mechanism
There is no install spec (instruction-only plus included scripts), so nothing is downloaded at install time — this is lower risk for code injection. However, runtime requires external binaries (curl and the polymarket CLI). The absence of an install step or documentation for obtaining the polymarket CLI is a usability/security gap: users may unknowingly run code that depends on preinstalled tools which can access local keys.
Credentials
Registry metadata lists no required environment variables or credentials, but the auto-copy config includes wallet addresses and the code calls a CLI that likely uses local signing keys or environment-based credentials. The scripts can perform signed market orders when invoked with --execute, which implies access to private keys or signing infrastructure; the skill does not declare, justify, or constrain access to those secrets. That mismatch is disproportionate for the published metadata and hides a sensitive requirement.
Persistence & Privilege
The skill is not always:true and does not request persistent/automatic inclusion. It does allow autonomous model invocation by default (normal), but there is no evidence the skill modifies other skills or system-wide agent settings. The main privilege concern is operational (placing real orders) rather than persistent installation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wangbo-polymarket-copytrading - 安装完成后,直接呼叫该 Skill 的名称或使用
/wangbo-polymarket-copytrading触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.0
Add auto monitor loop + threshold-based order execution script and config example
v0.1.0
Initial release: trader scan + peak/strong phase detection + risk template
元数据
常见问题
Wangbo Polymarket Copytrading 是什么?
Build and run Polymarket copy-trading workflows (trader discovery, peak/decline cycle detection, candidate ranking, risk limits, and execution handoff). Use... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 407 次。
如何安装 Wangbo Polymarket Copytrading?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wangbo-polymarket-copytrading」即可一键安装,无需额外配置。
Wangbo Polymarket Copytrading 是免费的吗?
是的,Wangbo Polymarket Copytrading 完全免费(开源免费),可自由下载、安装和使用。
Wangbo Polymarket Copytrading 支持哪些平台?
Wangbo Polymarket Copytrading 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Wangbo Polymarket Copytrading?
由 wangbo12bob2-source(@wangbo12bob2-source)开发并维护,当前版本 v0.2.0。
推荐 Skills