Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
polymarket-simmer-fastloop-sync-pulse
v1.0.7Trade Polymarket BTC/ETH/SOL 5-minute fast markets using a zero-delay Triple-Trigger strategy. Combines Binance momentum, NOFX OI/Netflow (free public API),...
⭐ 0· 332·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md implement a Polymarket trading sniper using the Simmer SDK, Binance and NOFX data — which legitimately requires a Simmer API key and optionally a wallet private key. However, the top-level registry summary stated 'Required env vars: none' while clawhub.json and SKILL.md require SIMMER_API_KEY (and optionally WALLET_PRIVATE_KEY), an inconsistency that should be resolved.
Instruction Scope
Runtime instructions and the Python script stay within trading scope: they fetch market IDs, query Binance/NOFX/CLOB endpoints, pre-cache market IDs, and optionally sign trades with a provided private key. The skill writes local cache and ledger files (daily_spend.json, fastloop_ledger.json, fast_markets_cache.json) to its directory — expected for execution logging and caching.
Install Mechanism
This is instruction-plus-code (no packaged installer). The project expects the simmer-sdk Python package (declared in SKILL.md and clawhub.json). No remote download URLs or obfuscated installers were found, but pip-installing simmer-sdk implicitly trusts that package and its dependencies.
Credentials
Requested secrets are proportionate to trading (SIMMER_API_KEY required; WALLET_PRIVATE_KEY optional to enable live trades). These are highly sensitive: giving a private key enables real-money trading and could expose funds if misused. The skill also reads additional env vars (AUTOMATON_MAX_BET and many SIMMER_* overrides) that are consistent with config but the registry metadata mismatch (required env vars reported as 'none') is concerning.
Persistence & Privilege
clawhub.json config includes a cron (*/5 * * * *) and automaton.managed:true, so the skill is intended to run every 5 minutes automatically. The skill does not request 'always: true' and does not modify other skills' configs. Autonomous periodic execution with an optional live wallet increases risk if you provide WALLET_PRIVATE_KEY without strict review.
Scan Findings in Context
[no_regex_findings] expected: The automated pre-scan reported no regex-based injection signals. Manual inspection still found an inconsistency between registry metadata (no required env vars) and the included clawhub.json/SKILL.md (which require SIMMER_API_KEY and optionally WALLET_PRIVATE_KEY).
What to consider before installing
Before installing: 1) Do not supply WALLET_PRIVATE_KEY unless you fully trust the code and the simmer-sdk package — prefer running in simulation mode first. 2) Verify the simmer-sdk package's provenance and review how SimmerClient handles private keys (confirm local signing vs. remote transmission). 3) Resolve the metadata mismatch: the registry claimed no required env vars but the files require SIMMER_API_KEY (mandatory) and WALLET_PRIVATE_KEY (optional). 4) Inspect the code yourself (or have a trusted reviewer) if you will run live — pay attention to any network endpoints and the SimmerClient instantiation. 5) If you lack comfort with private key handling, run only with no WALLET_PRIVATE_KEY (paper mode) or use a dedicated controlled wallet with minimal funds. 6) Note the skill is scheduled to run every 5 minutes (cron) — ensure that automated execution is acceptable before enabling.Like a lobster shell, security has layers — review code before you run it.
latestvk977zsgw4b8230hdszayw5tspn830rh7simmervk977n2jjqdq3jwe3xebm5c8mms82pzgt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Environment variables
SIMMER_API_KEYrequiredWALLET_PRIVATE_KEYrequired