v1.2.0

Polymarket Sports Edge

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:28 AM.

Analysis

This looks like a real Polymarket trading bot, but it can run on a schedule and place live trades with API-key access, so it should be reviewed carefully before use.

GuidanceOnly install this if you intentionally want an automated Polymarket sports trading bot. Start in dry-run mode, review the code and logs, confirm the exact entrypoint and schedule, use limited-scope credentials if available, set very small trade sizes, and avoid enabling LIVE=true or cron execution until you have hard limits and monitoring in place.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

When a market is mispriced relative to sharp bookmaker lines, it buys the underpriced side. ... # Live trading
LIVE=true python sports_edge.py

The skill is explicitly designed to place live Polymarket trades, not only analyze odds. The artifacts do not describe per-trade confirmation or total exposure limits once live mode is enabled.

User impactIf enabled for live trading, the skill could spend funds, enter bad positions, or repeatedly trade based on imperfect market matching.

RecommendationKeep LIVE=false until reviewed, use a very small TRADE_AMOUNT, add explicit per-trade approval or hard exposure limits, and monitor logs before allowing unattended trading.

Rogue Agents

SeverityHighConfidenceHighStatusConcern

clawhub.json

"cron": "0 * * * *",
  "automaton": {
    "managed": true,
    "entrypoint": "sports_edge.py"

The skill declares a managed scheduled automaton that runs the trading entrypoint hourly. In live mode, that persistence can keep acting on the user's account without a manual command each time.

User impactThe bot may continue scanning and potentially trading on a recurring schedule after installation/configuration.

RecommendationDisable or remove the cron/automaton until you are comfortable with the code, and only enable scheduling after setting strict trade and loss limits.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

metadata

Required env vars: none ... Primary credential: none ... No install spec — this is an instruction-only skill.

This registry-level description conflicts with the included clawhub.json files, which require pip packages, SIMMER_API_KEY/THE_ODDS_API_KEY, and a managed scheduled entrypoint. That mismatch under-declares important installation and runtime requirements.

User impactA user may underestimate that the skill installs dependencies, needs credentials, and can run as an automaton.

RecommendationTreat the package as a runnable trading bot, not instruction-only documentation; review clawhub.json and sports_edge.py before installing or granting credentials.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

clawhub.json

"requires": {
    "pip": ["simmer-sdk", "requests"],
    "env": ["SIMMER_API_KEY", "THE_ODDS_API_KEY"]
  }

The dependency use is purpose-aligned, but the pip packages are unpinned. For an automated trading skill, dependency provenance and version locking matter.

User impactFuture dependency changes could alter behavior in a high-impact trading context.

RecommendationPin dependency versions and verify the Simmer SDK package source before using it with live trading credentials.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

sports_edge.py

SimmerClient(
            api_key=os.environ["SIMMER_API_KEY"],
            venue="polymarket",

The skill uses a Simmer API key for the Polymarket venue. This is expected for its trading purpose, but it is still account-level authority that can affect funds.

User impactA configured API key may allow the skill to access trading functions tied to the user's Polymarket/Simmer account.

RecommendationUse the least-privileged key available, rotate it if testing with untrusted code, and confirm whether the key can trade before enabling LIVE=true.