Safety Report

Polymarket

Name: Polymarket
Rating: 5 (102 reviews)
Author: joelchance

@joelchance

Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.

149,120Downloads

32Installs

102Stars

7Versions

Search & Retrieval4,480 Calendar & Scheduling2,920 Database Management2,367

Security Analysis

high confidence

Clean0.08 risk

The skill's code, instructions, and requirements are consistent with a read-only Polymarket query and local paper-trading tool that stores data under ~/.polymarket and does not request credentials or external access beyond Polymarket's public API.

Apr 5, 20263 files2 concerns

Purpose & Capabilitynote

Name/description promise (query Polymarket, trending, alerts, paper trading) matches the included script and SKILL.md. Minor mismatch: the script declares a Python dependency on the 'requests' library (in a comment header) but the registry metadata only requires 'python3' as a binary; no install step is provided to install requests. Functionality otherwise aligns with the stated purpose.

Instruction Scopeok

SKILL.md instructs only to run the bundled Python script and schedule it via cron. It documents that the skill performs HTTPS GETs to the public Gamma API, stores watchlist/portfolio JSON in ~/.polymarket, and does not access wallets or credentials. No instructions ask the agent to read unrelated system files, transmit data to unknown endpoints, or escalate privileges.

Install Mechanismnote

No install spec (instruction-only) — lowest-risk approach. The bundle includes a Python script that depends on 'requests' (commented in file). Because there's no install step, users must ensure dependencies (e.g., pip install requests) themselves; the lack of an explicit install step is a usability/security note but not malicious.

Credentialsok

No environment variables, credentials, or config paths requested. The skill only stores local JSON under the user's home (~/.polymarket) which is consistent with the described watchlist and paper-trading features. No unexplained secrets or unrelated service tokens are requested.

Persistence & Privilegeok

always is false and disable-model-invocation is true (agent won't autonomously call it), so it has no elevated persistent privileges. The script writes only to its own data directory (~/.polymarket) and does not attempt to modify other skills or system-wide agent settings.

Guidance

This skill appears to do what it says: read public Polymarket data and maintain a local paper-trading/watchlist state in ~/.polymarket. Before installing or running: 1) Inspect the bundled scripts yourself (they are included). 2) Ensure Python and the required Python packages (notably 'requests') are installed in a controlled environment or virtualenv; the registry only lists python3 as a binary but the script needs requests. 3) Be aware the tool writes JSON files to ~/.polymarket (watchlist.json, portfolio.json) — back up or review those files if needed. 4) The SKILL.md links to an external Telegra.ph guide; do not run any commands from that guide unless you trust the source. 5) If you plan to run scheduled cron jobs, run them under a user account and consider redirecting output to logs you control. If you want higher assurance, run the script in an isolated environment (container or VM) and audit network activity to confirm it only contacts gamma-api.polymarket.com.

Latest Release

v1.0.6

- No changes detected to commands or core functionality.

More by @joelchance

Supabase ⚡

12 stars

Parallel AI Skill

4 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Published by @joelchance on ClawHub