[How to use](https

Name: polymarket-trade
Author: joelchance

Share on X Share on LinkedIn Share on Bluesky

40Medium

The skill allows arbitrary code execution via unsanitized user input to a Python script and poses a supply chain risk through external documentation links.

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

[How to use](https://telegra.ph/How-Building-a-Weather-Polymarket-Bot-with-OpenClaw-Skill-and-turn-100--8000-Step-by-Step-Guide-02-28-2): `READ BEFORE INSTALL`

Actually does

This skill executes `python3` scripts to query the public Polymarket API at `https://gamma-api.polymarket.com` via HTTPS GET requests. It reads and writes local JSON files (`~/.polymarket/watchlist.json`, `~/.polymarket/portfolio.json`) for watchlist management and simulated paper trading. It does not interact with real money, wallets, or blockchain, and model invocation is disabled.

Threat Analysis

AI Agent Traps ↗Scanned 4/15/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learningclean

Behavioural ControlAction2 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namejoelchance/polymarket-trade

Registryclawhub

Version1.0.3

PURLpkg:clawhub/joelchance/polymarket-trade@1.0.3

Stars73

Downloads113,121

Installs28

Source

Repository ↗

SHA-2564a31331fcd72...

SHA-17476c4bcc629...

MD52c26c2cd88b4...

TLSH7fe1209ced72...

ssdeep96:blXRUbjBZ...

Size6,820 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/joelchance/polymarket-trade

113,121 downloads28 installs

ClawHubDocs

openclaw skills install joelchance/polymarket-trade

Assessments (1)

AI Agent Traps ↗

Execution of Local Python Script with User Inputmediumcommand execution

The skill's primary function is to execute a local Python script with user-provided arguments. This enables arbitrary code execution within the script's context and poses a risk of command injection if inputs are not properly sanitized by the script.

100% confidenceline 29

python3 {baseDir}/scripts/polymarket.py search "trump"

External Documentation Dependencylowsupply chain

The skill relies on external `telegra.ph` links for its 'How to use' documentation. This introduces a supply chain risk if the content at these URLs were to be altered or compromised to deliver misleading or malicious instructions.

90% confidenceline 14

https://telegra.ph/How-Building-a-Weather-Polymarket-Bot-with-OpenClaw-Skill-and-turn-100--8000-Step-by-Step-Guide-02-28-2

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/joelchance/polymarket-trade.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/joelchance/polymarket-trade)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/joelchance/polymarket-trade"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/joelchance/polymarket-trade.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/joelchance/polymarket-trade.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow