trading-polymarket

[Skill Scanner] Installation of third-party script detected This skill is functionally consistent with its stated purpose: full trading access for Polymarket using py_clob_client. It requires highly sensitive credentials (PRIVATE_KEY and POLY_API_*), which is expected for L2 trading but increases risk if executed in untrusted contexts. Network endpoints are legitimate Polymarket/Polygon domains and data flows directly to those services (no third‑party intermediaries). I found no obfuscated code, no backdoors, and no evidence of credential exfiltration to suspicious domains in this fragment. Primary risk is operational: executing the examples with real credentials will perform real trades and leaking those credentials would enable theft. Recommend: only run in trusted environments, protect PRIVATE_KEY and API secrets, and consider using readonly keys or restricted API keys where possible. LLM verification: The provided SKILL.md describes a legitimate trading integration requiring highly sensitive credentials and an external library. The file itself contains no clear malicious code, hardcoded secrets, or obfuscated payloads. However, there are significant supply-chain and operational risks: unpinned pip dependency, examples that encourage storing raw PRIVATE_KEY and API secrets in environment variables without guidance for secure handling, and use of proxy signing flows that merit caution. Before d