Polymarket Executor

Name, description, code, and optional env vars align with a trading bot (Polymarket API keys, wallet, Telegram alerts). However the documentation and systemd instructions assume specific host/container paths and a particular operator ('Wesley') which is not necessary for the stated purpose and indicates the package is tailored to a particular deployment.

Runtime instructions go beyond simply running a bot: they instruct copying files into a specific Docker container, adding variables to a host .env, and creating a systemd service that loads that .env. These steps touch host configuration, require elevated privileges, and could expose unrelated host secrets. The SKILL.md also allows broad scanning (hundreds–thousands of markets) and continuous autonomous looping, giving the agent broad operational discretion.

There is no external install/download step; the skill is instruction + a single Python file that claims to use the standard library only. No remote archive downloads or third-party package installs were specified, reducing supply-chain risk.

Requested environment variables (Polymarket API key/secret/passphrase, wallet address, capital, Telegram tokens) are reasonable for a live trading bot and are marked optional for paper mode. However documentation recommends placing these in a shared host .env and references an existing TELEGRAM_CHAT_ID and other owner-specific values—this risks exposing other host secrets if the same .env holds unrelated credentials.

The repo includes a systemd setup that runs the executor as root and auto-starts it on boot (Enable/Start instructions). While long-running services are expected for trading bots, running as root and loading a host EnvironmentFile increases privilege and persistence risk. The skill itself is not forced-always, but its documentation explicitly guides the user to grant high persistence and host-level privileges.