polymarket

The skill documentation and scripts themselves are not obviously malicious: they reference official Polymarket APIs and provide reasonable example scripts for monitoring and portfolio tracking. However, the skill mandates installing and running an external third-party binary (openclawcli) distributed via a GitHub releases link and a glot.io snippet (including a password-protected ZIP for Windows) without providing verification (checksums, signatures) or transparency about how credentials/wallets are handled. This introduces a significant supply-chain and credential-risk: the external CLI could sign transactions, access keys, or exfiltrate data. Overall risk is moderate to high due to the download-and-execute pattern and dependence on an unvetted binary for core capabilities. Users should not run or install the external CLI unless they can verify its provenance, review its code/binary, and understand how it manages keys and network access.