Prediction Trade Journal
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Simmer API key may allow access to private trading/account data, and possibly more if the key is not read-only.
The skill sends a bearer API key when calling the Simmer API. This is disclosed and purpose-aligned for syncing trade history, but trading-account credentials can be high-value if over-scoped.
SIMMER_API_KEY = os.environ.get("SIMMER_API_KEY", "") ... "Authorization": f"Bearer {SIMMER_API_KEY}"Use a read-only or least-privilege Simmer API key if available, keep it revocable, and verify any SIMMER_API_URL override before use.
Local files may contain trading history, P&L, strategy notes, and confidence judgments that should not be shared casually.
The journal persists trading history and allows enrichment with thesis, confidence, and source context. This is central to the skill, but the stored data can be sensitive and may influence future reports.
Trades are stored locally in `data/trades.json` ... Other skills can enrich trades with context
Keep the skill data directory private, review exports before sharing them, and treat context added by other skills as user-reviewable input.
Installing an unpinned package can change behavior over time if the package is updated or if the wrong package source is used.
The setup asks users to install an external package without pinning a version. This appears related to the Simmer integration, but version/provenance is not tightly bounded.
pip install simmer-sdk
Install from a trusted package index, consider pinning an expected simmer-sdk version, and verify the package publisher before installation.