grimoire-polymarket

This skill is functionally consistent: it requires signing credentials and the official Polymarket CLI to perform authenticated market and CLOB operations. It does not show obvious supply-chain download-execute patterns, obfuscated code, or third-party credential routing in this fragment. Primary risks are operational: storing a raw private key in an environment variable, the ability to override the CLI binary path (which could be hijacked), and the fact the skill enables autonomous order placement with real-world financial impact. Recommend hardening: prefer hardware or delegated signers over raw private keys, restrict or validate POLYMARKET_OFFICIAL_CLI path (verify checksum or require official install), add explicit per-action confirmation/authorization for order-executing operations, and avoid printing/logging secrets. Overall this appears not to contain malware but poses moderate supply-chain and operational risk if misused or misconfigured.