Polymarket Wallet Xray
ReviewAudited by ClawScan on May 10, 2026.
Overview
The wallet analysis itself appears read-only, but the skill also requests a Simmer API key and includes account/position access despite advertising that no authentication is needed.
Review this skill carefully before installing. The public wallet x-ray script appears read-only, but do not provide SIMMER_API_KEY unless you specifically want the account-status helper to read your Simmer balance and positions. The skill author should clarify which features need authentication and what permissions the API key has.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide the API key, the skill can read private Simmer account and trading-position information, not just public wallet activity.
The helper script uses a bearer API key to retrieve account balance, exposure, PnL, and open positions. That is sensitive account access and is broader than the advertised public no-auth wallet analysis.
api_key = os.environ.get("SIMMER_API_KEY") ... portfolio = api_request(api_key, "/api/sdk/portfolio") ... result = api_request(api_key, "/api/sdk/positions")Only provide a Simmer API key if you intend to use account-status features, prefer a read-only or least-privilege key if available, and confirm what permissions the key grants.
A user may install expecting a public-data-only tool but then be prompted to provide a sensitive credential.
The documentation gives conflicting expectations: it prominently says no authentication is needed, then instructs setup to request and store an API key.
**No authentication needed.** Queries Polymarket's public CLOB API directly. ... **Ask for Simmer API key** ... Store in environment as `SIMMER_API_KEY`
The skill should clearly separate the no-auth public wallet analyzer from optional authenticated Simmer account features and disclose the credential scope before asking for the key.
Wallet addresses or markets you analyze may be visible to the external API provider.
The main analyzer sends wallet addresses to Polymarket's public data API. This is expected for the stated wallet-analysis purpose and appears read-only.
DATA_API_BASE = "https://data-api.polymarket.com" ... url = f"{DATA_API_BASE}/activity?user={quote(wallet.lower(), safe='')}&limit={max_trades}"Use the tool only for wallet addresses you are comfortable querying through Polymarket-related public APIs.
Installing packages from the package index adds normal dependency-supply-chain risk.
The documentation asks users to install unpinned packages. This is a normal setup pattern, but users should be aware it relies on external package provenance.
pip install simmer-sdk requests
Install dependencies from trusted sources, consider pinning versions, and review package provenance if using this in a sensitive environment.