Add security audit to polymarket-browse review

CRITICAL: Telegram bot token exposed in process command line HIGH: HTML injection in Telegram messages MEDIUM: Insufficient --search URL encoding MEDIUM: No bounds check on --detail MEDIUM: Potential DoS via large API response LOW: Bare except: clauses LOW: No API rate limiting Includes fix recommendations and immediate actions for users.
Add polymarket-browse skill review (2026-03-25)
2026-03-25 09:27:28 +00:00 · 2026-03-25 09:12:05 +00:00
2 changed files with 19 additions and 19 deletions
--- a/skills/polymarket-browse/reviews/2026-03-25.md
+++ b/skills/polymarket-browse/reviews/2026-03-25.md
--- a/skills/polymarket-browse/scripts/browse.py
+++ b/skills/polymarket-browse/scripts/browse.py
@@ -4,12 +4,11 @@ Polymarket Event Browser
 Browse tradeable Polymarket events by game category.
 """
 import subprocess
 import json
 import time
 import argparse
 from datetime import datetime, timezone, timedelta
 from urllib.parse import urlencode
 from urllib.request import urlopen, Request
 # ============================================================
 # CONFIG
@@ -578,13 +577,14 @@ def print_detail(e, detail):
 # ============================================================
 def send_to_telegram(match_events, non_match_events, category, matches_only=False, non_matches_only=False):
-    """Send browse results to Telegram. Reads TELEGRAM_BOT_TOKEN and CHAT_ID from environment."""
+    """Send browse results to Telegram. Reads BOT_TOKEN and CHAT_ID from environment."""
    import os
-    bot_token = os.environ.get("TELEGRAM_BOT_TOKEN")
+    bot_token = os.environ.get("BOT_TOKEN")
    chat_id = os.environ.get("CHAT_ID")
    if not bot_token or not chat_id:
-        raise RuntimeError("TELEGRAM_BOT_TOKEN or CHAT_ID not set in environment")
+        print("WARNING: BOT_TOKEN or CHAT_ID not set in environment. Skipping Telegram send.")
-
+        return
    from datetime import datetime, timezone, timedelta
    now_utc = datetime.now(timezone.utc)
    utc7 = timezone(timedelta(hours=7))
@@ -596,19 +596,19 @@ def send_to_telegram(match_events, non_match_events, category, matches_only=Fals
    show_non_matches = (not matches_only and not non_matches_only) or non_matches_only
    def send(text):
-        url = f"https://api.telegram.org/bot{bot_token}/sendMessage"
+        result = subprocess.run(
-        data = urlencode({
+            ["curl", "-s", f"https://api.telegram.org/bot{bot_token}/sendMessage",
-            "chat_id": chat_id,
+             "-d", f"chat_id={chat_id}",
-            "text": text,
+             "-d", f"text={text}",
-            "parse_mode": "HTML",
+             "-d", "parse_mode=HTML",
-            "disable_web_page_preview": "true",
+             "-d", "disable_web_page_preview=true"],
-        }).encode("utf-8")
+            capture_output=True
-        req = Request(url, data=data, method="POST")
+        )
-        with urlopen(req, timeout=10) as resp:
+        resp = json.loads(result.stdout.decode())
-            result = json.loads(resp.read())
+        if resp.get("ok"):
-            if not result.get("ok"):
+            print(f"  Sent msg {resp['result']['message_id']}")
-                raise RuntimeError(f"Telegram API error: {result.get('description')}")
+        else:
-            print(f"  Sent msg {result['result']['message_id']}")
+            print(f"  Error: {resp.get('description')}")
    # Build sections
    lines = [f"<b>{category.upper()}</b> | {header_date}"]