Polymarket Btc Momentum
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a real-money Polymarket trading bot with under-declared credential and scheduled-automation behavior, and its safety checks can fail open before live trades.
Only install or run this if you are comfortable with a bot that can use your Simmer/Polymarket access for trading. Keep it in dry-run mode until you have reviewed the code, disabled or understood the five-minute automaton, limited the credential/budget where possible, and changed the safety checks to stop rather than proceed when warnings or context-check failures occur.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with --live, the bot may place a real trade even when its market-safety/context check failed or produced warnings.
Before the live trade call, warnings are only printed, and a failed context check explicitly proceeds anyway. For a financial trading bot, this is a fail-open path for high-impact account actions.
if warnings: print(f" ⚠️ Warnings: {warnings}") ... except Exception as e: print(f" ⚠️ Context check failed: {e} — proceeding anyway.") ... result = get_client().trade(Fail closed on context-check errors and warnings unless the user explicitly overrides them; add a clear per-trade confirmation or budget/risk limit for live mode.
Installing or running live mode may give the skill authority to spend funds or alter positions through the user's trading account.
The code requires a SIMMER_API_KEY and uses the resulting client to place Polymarket trades. That credentialed trading authority is high-impact and is not reflected in the provided registry metadata that says no env vars or primary credential are required.
_client = SimmerClient(api_key=os.environ["SIMMER_API_KEY"], venue=venue) ... result = get_client().trade(market.id, side, TRADE_AMOUNT, ...)
Declare the credential and trading capability in metadata, use a least-privilege or budget-limited key if possible, and make the user explicitly approve live trading permissions.
The skill may run repeatedly in the background and access APIs/account context more often than the user expects.
The package declares managed scheduled execution every five minutes, while SKILL.md only documents manual CLI usage. Even though the entrypoint defaults to dry run, this is recurring background behavior that users should opt into knowingly.
"cron": "*/5 * * * *", "automaton": { "managed": true, "entrypoint": "btc_momentum.py" }Document the cron behavior prominently, make scheduled execution opt-in, and clearly state whether scheduled runs are dry-run only or can ever execute live trades.
Future or unexpected package versions could change behavior outside the reviewed code.
The external Python packages are expected for this integration, but they are unpinned and the overall source is listed as unknown, so dependency provenance and version stability are worth checking.
"requires": { "pip": ["simmer-sdk", "requests"], "env": ["SIMMER_API_KEY"] }Pin dependency versions and provide provenance or a lockfile for the runtime dependencies.