polymarket-simmer-fastloop-sync-pulse
WarnAudited by ClawScan on May 18, 2026.
Overview
This is a coherent Polymarket trading bot, but it requests wallet-signing authority and is configured for recurring automated execution that could spend real USDC.
Install only if you intentionally want an automated Polymarket trading bot. Start in simulation/dry-run mode, leave WALLET_PRIVATE_KEY unset until you understand the cron behavior, use a dedicated low-balance wallet for live trading, verify the actual budget settings, and consider pinning/reviewing simmer-sdk before risking real funds.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Providing a wallet private key grants the skill and its SDK signing authority that could spend funds from that wallet when live trading is enabled.
The skill declares the wallet private key as a required environment variable. That key can authorize EVM wallet actions, and SKILL.md separately says the wallet key is optional for simulation mode, so the required credential scope is broader than necessary for the documented non-live use.
"env": [ "SIMMER_API_KEY", "WALLET_PRIVATE_KEY" ]
Do not use a primary wallet. Test without WALLET_PRIVATE_KEY first, and if live trading is desired, use a dedicated low-balance wallet with only the intended trading funds.
The skill may keep running on a schedule after installation, potentially analyzing markets or trading repeatedly until disabled.
The artifact configures the trading script to run automatically every five minutes as a managed automaton. For a real-money trading skill, recurring background execution materially changes user impact and needs explicit control.
"cron": "*/5 * * * *",
"automaton": {
"managed": true,
"entrypoint": "fastloop_improved.py"
}Only enable the cron/automaton mode if continuous trading is intended. Confirm how to stop it, and keep live credentials unset until the schedule and trading mode are verified.
A bad signal, configuration error, or unexpected invocation could place real Polymarket orders and lose money.
The skill explicitly supports live order placement. That is aligned with the stated trading purpose, but it is high-impact financial mutation and the artifacts do not show per-trade confirmation before orders are placed.
# Live mode — places real orders python fastloop_improved.py --live
Run in dry-run or simulation mode first, require manual approval before live orders if possible, and set conservative max-position and daily-budget limits before providing a wallet key.
Spend limits may not be applied the way a user expects, which matters because the included config permits automated trading activity.
The code uses SIMMER_SPRINT_MAX_POSITION and SIMMER_SPRINT_DAILY_BUDGET for key safety limits, while SKILL.md documents SIMMER_MAX_POSITION and SIMMER_DAILY_BUDGET. Users relying on the documented variables may think they lowered trading limits when the script is looking for different names.
"max_position": {"default": 5.0, "env": "SIMMER_SPRINT_MAX_POSITION", "type": float},
"daily_budget": {"default": 10.0, "env": "SIMMER_SPRINT_DAILY_BUDGET", "type": float}Verify the effective runtime configuration before live use. Prefer editing config.json directly or using the exact environment variable names accepted by the code.
Future or unexpected package versions could alter trading or credential-handling behavior.
The required SDK is purpose-aligned, but it is unpinned and is used by code paths that receive the Simmer API key and wallet private key.
pip: - simmer-sdk
Verify the simmer-sdk package source and version, and prefer a pinned, reviewed dependency version before using live funds.
A stale or modified cache could influence which market the bot trades, and local ledger/spend files may reveal trading activity.
The skill intentionally persists market IDs and reuses that cache to support execution. This is purpose-aligned, but cached trading context can affect later financial decisions if stale or tampered with.
saves them to a local `fast_markets_cache.json`... reads from its local cache to execute trades during this "API blackout"
Protect the skill directory, inspect or clear the cache when troubleshooting, and do not share generated cache or ledger files unnecessarily.