← Back to Skills Marketplace
340
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install mgnlia-polymarket
Description
Browse, trade, and manage positions on Polymarket prediction markets via the polymarket CLI. Use when: user asks about prediction market odds, wants to searc...
Usage Guidance
This package implements the promised Polymarket CLI utilities and an expiry-arbitrage scanner, but take precautions before installing or running it:
- Review install scripts before running: install.sh and the SKILL.md recommend piping remote scripts into sh (raw.githubusercontent.com and rustup.sh). Only run them if you trust the source and have inspected the script contents.
- Treat wallet private keys as sensitive: do not paste or import private keys into software or agent environments you don't control. Prefer hardware wallets or ephemeral wallets and only enable trading in a locked-down environment.
- The TypeScript scanner calls the shell with a user-supplied query interpolated into the command; that can lead to command injection if untrusted input is used. If you run the script, only pass trusted queries or modify the code to properly escape/sanitize inputs (avoid unescaped shell interpolation; use execFile or pass args array).
- Running npx/tsx may download packages at runtime—consider installing dependencies locally or running inside an isolated container/VM.
- If you only need read-only features, avoid running wallet/setup commands and restrict network/privilege exposure.
If you want to proceed: inspect scripts/install.sh and expiry-arb.ts fully, run installation in an isolated environment (container or VM), and never expose private keys to untrusted processes.
Capability Analysis
Type: OpenClaw Skill
Name: mgnlia-polymarket
Version: 1.1.0
The skill bundle contains a shell injection vulnerability in 'scripts/expiry-arb.ts', where the user-provided 'query' argument is passed unsanitized to a shell command via 'execSync'. Additionally, 'scripts/install.sh' employs the risky 'curl | sh' pattern to execute a remote script from GitHub. While these are critical security flaws (RCE risks), they appear to be unintentional vulnerabilities rather than intentional malware, as the bundle's logic consistently supports its stated purpose of Polymarket trading.
Capability Assessment
Purpose & Capability
Name, description, and included scripts (search, get-market, price checks, expiry-arb) are coherent with a Polymarket CLI/arb scanner; required files and commands (polymarket binary, parsing JSON) match the stated purpose.
Instruction Scope
Runtime instructions and scripts rely heavily on shell execution of the `polymarket` binary and explicitly instruct interactive wallet setup/import (which requires private keys). The TypeScript scanner executes a shell command built by interpolating the user query into execSync without escaping, creating a potential command-injection vector if untrusted input is used. The SKILL.md also recommends piping a remote install script into sh (curl | sh). These behaviors are within the broad purpose but introduce actionable risks that are not mitigated in the instructions.
Install Mechanism
There is no centralized install spec, but scripts/install.sh and SKILL.md instruct using remote installers: raw.githubusercontent.com (curl | sh), git clone from GitHub, and rustup (curl | sh). These are well-known hosts but piping remote scripts to sh and invoking rustup remotely is inherently risky and should be reviewed prior to execution. The TypeScript script uses npx/tsx (runtime npm fetch).
Credentials
The skill declares no required environment variables or credentials. Wallet operations documented (wallet import, approve set) legitimately require private keys/MATIC for trading and are optional for read-only operations. However, the skill and docs suggest entering private keys directly into CLI commands; users should avoid supplying keys to untrusted environments.
Persistence & Privilege
Skill flags are standard (always:false). The skill does not request persistent platform privileges or modify other skills. It references user config at ~/.config/polymarket/config.json and sources $HOME/.cargo/env—expected for this tool.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mgnlia-polymarket - After installation, invoke the skill by name or use
/mgnlia-polymarket - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Full CLI reference, expiry arb scanner, helper scripts, install automation
v1.0.0
Initial release — CLI reference, expiry arb scanner, helper scripts
Metadata
Frequently Asked Questions
What is Polymarket CLI & Arb Scanner?
Browse, trade, and manage positions on Polymarket prediction markets via the polymarket CLI. Use when: user asks about prediction market odds, wants to searc... It is an AI Agent Skill for Claude Code / OpenClaw, with 340 downloads so far.
How do I install Polymarket CLI & Arb Scanner?
Run "/install mgnlia-polymarket" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Polymarket CLI & Arb Scanner free?
Yes, Polymarket CLI & Arb Scanner is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Polymarket CLI & Arb Scanner support?
Polymarket CLI & Arb Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Polymarket CLI & Arb Scanner?
It is built and maintained by guzus (@guzus); the current version is v1.1.0.
More Skills