Simmer Skill Builder
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: simmer-skill-builder Version: 1.2.3 The bundle is a developer tool designed to assist an AI agent in generating, validating, and publishing trading skills for the Simmer platform. It contains utility scripts for account management (scripts/status.py) and a validator (scripts/validate_skill.py) that enforces best practices in generated code. The instructions in SKILL.md explicitly mandate safety features such as dry-run defaults, mandatory safeguards, and the use of the official Simmer SDK rather than direct API calls. No indicators of data exfiltration, malicious obfuscation, or unauthorized persistence were found; all behaviors are consistent with the stated purpose of a skill-building framework.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or low-quality tweet or web page could influence the generated bot’s trading logic if the output is not reviewed.
The builder intentionally uses user-provided social/web content and external docs to shape generated trading code. This is purpose-aligned, but untrusted text could include misleading strategy logic or prompt-like instructions.
They might: ... Paste a tweet or thread about a strategy ... Ask your human to provide the relevant API docs, or web-fetch them if you have access.
Treat external strategy text and fetched docs as data, not authority. Inspect generated SKILL.md, clawhub.json, and Python code before installing or running it.
If a generated skill is run with live trading enabled, it can spend real funds or sell positions according to its strategy logic.
The generated scripts are designed to support live trading, but the template makes dry-run the default and requires an explicit --live flag for real trades.
Usage:
python <script>.py # Dry run
python <script>.py --live # Real tradesRun generated skills in dry-run/paper mode first, set conservative position sizes and max trades, and only use --live after reviewing the code and strategy.
Anyone or any generated code with the API key may be able to access Simmer account data and, depending on configuration, perform trading actions.
The skill ecosystem expects a Simmer API key for account access. This is consistent with trading/account-status functionality, but it is a sensitive credential.
"requires": { "env": [ "SIMMER_API_KEY" ], "pip": [ "simmer-sdk" ] }Use a dedicated API key if possible, keep it out of generated files, avoid sharing logs, and revoke or rotate it if a generated skill behaves unexpectedly.
Future dependency changes could affect generated skills’ behavior or compatibility.
The required Python dependency is disclosed and central to the purpose, but it is not version-pinned in the artifact.
"pip": [ "simmer-sdk" ]
For production trading, consider pinning tested dependency versions and reviewing dependency updates before running live.
Persistent or remotely tuned settings could change how a bot trades across runs, including in live mode.
Generated skills can use persistent local config and automaton-provided tuning to influence thresholds, sizing, and other behavior.
Config priority: `config.json > automaton tuning > env vars > defaults`. When `slug` is provided, `load_config` automatically fetches tuned config from the Simmer Automaton
Review config.json, automaton tuning, and declared tunables before enabling automation or live trading.