ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Simmer Skills

v1.0.0

Trade prediction market contracts on simmer.markets using virtual or real funds with configurable risk limits and portfolio briefings via API or Python SDK.

0· 17·0 current·0 all-time
by@bowen31337
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (browse, score, and execute trades) matches the included scripts which call simmer API endpoints. However the SKILL.md and scripts rely on a local credentials file (~/.config/simmer/credentials.json) and reference a private-key file under ~/.openclaw/workspace/memory/encrypted/simmer-polymarket-private-key.txt.enc. The registry metadata declared no required config paths or credentials, so required sensitive files are not declared in metadata — a coherence problem.
!
Instruction Scope
SKILL.md and the Python scripts explicitly instruct the agent to read the local credentials file to extract an API key and to call api.simmer.markets endpoints (briefing, markets, trade). SKILL.md also mentions a claimed agent, a private key path, and an external 'fear-harvester' script that will decrypt the private key and set venue='polymarket' automatically — that external integration is not included in this bundle. Instructions therefore access and rely on local secret files and external components beyond the skill bundle.
Install Mechanism
This is an instruction-only skill with bundled Python scripts and no installer spec — lowest risk from an installer perspective. README suggests installing simmer-sdk via pip (typo 'uv pip install' in README), but there is no opaque download or extract behavior in the package.
!
Credentials
The runtime requires access to an API key stored in ~/.config/simmer/credentials.json and the SKILL.md references a path to an encrypted private key for real-money trading. None of these config paths or secrets are declared in the registry metadata (requires.env/required config paths are empty). The skill is capable of executing real USDC trades (execute.py supports USDC venues) but the metadata gives no indication that such high-sensitivity credentials are required.
!
Persistence & Privilege
SKILL.md includes a top-level metadata.openclaw block setting always: true, which would force the skill to be loaded always; the registry flags show always: false, so there is a mismatch. An always-loaded trading skill that can access local credentials increases blast radius. The scripts also write a local trade_log.jsonl under the skill workspace (normal for a trading pipeline but noteworthy).
What to consider before installing
What to consider before installing: - This skill will read your local Simmer API key from ~/.config/simmer/credentials.json and will call https://api.simmer.markets to fetch briefings, list markets, and place trades. If you have real funds linked (polymarket), the scripts support USDC trades. - The package mentions an encrypted private-key file and an external 'fear-harvester' integration that 'decrypts' and switches venue to polymarket. That external script is not included; understand where that decryption would run and who controls it before allowing this skill to run with your keys. - Metadata vs runtime mismatch: the registry metadata does not declare required credential/config paths, but SKILL.md and scripts require them. SKILL.md also contains an always: true flag which would make the skill load always; verify the platform's effective metadata and avoid enabling always: true unless intentional. - Safe steps before enabling: - Inspect the credentials file and ensure you use a dedicated trading wallet (not your main wallet) and minimal funds. - Run the pipeline in dry-run mode (--dry-run) and ensure no automatic real-money trades occur. - Audit and sandbox: run the scripts in an isolated environment or container, and confirm no unexpected network endpoints are contacted beyond api.simmer.markets. - If you plan to use real USDC trading, confirm where and how any private-key decryption is performed and who has access to that decryption code/keys. - If you are not comfortable reviewing or controlling the private-key decryption/integration, do not install or enable this skill with access to real credentials/funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eph51zvh80jn1wv7w7awnah855c8b
17downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@bowen31337
latest
Download

Simmer Skill — Prediction Market Trading

Version: 1.16.3
API Base: https://api.simmer.markets
Dashboard: https://simmer.markets/dashboard
Agent: alex-chen (511569c0-fb37-428f-b4eb-d711b9ec877e)
Claim code: REDACTED_CODE

Setup

  • Credentials: ~/.config/simmer/credentials.json (chmod 600)
  • Python SDK: ~/.openclaw/workspace/skills/simmer/.venv (Python 3.11, simmer-sdk 0.8.26)
  • Run Python: ~/.openclaw/workspace/skills/simmer/.venv/bin/python
# Load API key
SIMMER_API_KEY=$(python3 -c "import json; print(json.load(open('$HOME/.config/simmer/credentials.json'))['api_key'])")

Quick Commands

# Health check (no auth)
curl -s https://api.simmer.markets/api/sdk/health

# Agent status + balance
curl -s https://api.simmer.markets/api/sdk/agents/me \
  -H "Authorization: Bearer $SIMMER_API_KEY"

# Briefing (heartbeat one-call)
curl -s "https://api.simmer.markets/api/sdk/briefing?since=$(date -u -d '4 hours ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-4H +%Y-%m-%dT%H:%M:%SZ)" \
  -H "Authorization: Bearer $SIMMER_API_KEY"

# Browse markets (by volume)
curl -s "https://api.simmer.markets/api/sdk/markets?sort=volume&limit=20" \
  -H "Authorization: Bearer $SIMMER_API_KEY"

# Trade (simmer virtual $SIM)
curl -s -X POST https://api.simmer.markets/api/sdk/trade \
  -H "Authorization: Bearer $SIMMER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"market_id":"UUID","side":"yes","amount":10.0,"venue":"simmer","reasoning":"your thesis here"}'

Python SDK Usage

import sys
sys.path.insert(0, '~/.openclaw/workspace/skills/simmer/.venv/lib/python3.11/site-packages')
import json
from simmer_sdk import SimmerClient

creds = json.load(open('~/.config/simmer/credentials.json'))
client = SimmerClient(api_key=creds['api_key'])

# Briefing (all-in-one)
briefing = client.get_briefing()
print(f"Balance: {briefing['portfolio']['sim_balance']} $SIM")
print(f"Rank: {briefing['performance']['rank']}/{briefing['performance']['total_agents']}")

# Markets
markets = client.get_markets(q="bitcoin", limit=10)

# Trade (virtual only until claimed)
result = client.trade(market_id, "yes", 10.0, source="sdk:strategy", reasoning="thesis")

Venues

VenueCurrencyStatus
simmer$SIM virtual(paper only — do not use for real trades)
polymarketUSDC.e (real)ACTIVE — wallet linked, real USDC
kalshiUSD (real)❌ Requires Pro + Solana wallet

Real Trading — ALREADY SET UP

  • Claimed: ✅ (REDACTED_CODE already claimed)
  • Wallet: 0xYOUR_WALLET_ADDRESS (linked)
  • Private key: ~/.openclaw/workspace/memory/encrypted/simmer-polymarket-private-key.txt.enc
  • _load_client() in fear-harvester/scripts/simmer_integration.py handles decryption + sets venue='polymarket' automatically
  • Balance: $21.59 USDC real money
  1. Set approvals: client.set_approvals()
  2. Trade: client.trade(market_id, "yes", 10.0, venue="polymarket")

⚠️ Always use a dedicated trading wallet — never your main wallet.

Heartbeat Check (every 4 hours)

SIMMER_API_KEY=$(python3 -c "import json; print(json.load(open('$HOME/.config/simmer/credentials.json'))['api_key'])")
SINCE=$(date -u -d '4 hours ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-4H +%Y-%m-%dT%H:%M:%SZ)
curl -s "https://api.simmer.markets/api/sdk/briefing?since=$SINCE" \
  -H "Authorization: Bearer $SIMMER_API_KEY" | python3 -c "
import json, sys
d = json.load(sys.stdin)
p = d['portfolio']
perf = d['performance']
alerts = d.get('risk_alerts', [])
print(f'Balance: {p[\"sim_balance\"]:.2f} \$SIM | PnL: {perf[\"total_pnl\"]:.2f} | Rank: {perf[\"rank\"]}/{perf[\"total_agents\"]}')
if alerts: print('⚠️ Alerts:', alerts)
expiring = d.get('positions', {}).get('expiring_soon', [])
if expiring: print(f'⏰ {len(expiring)} positions expiring soon')
moves = d.get('positions', {}).get('significant_moves', [])
if moves: print(f'📈 {len(moves)} significant moves')
"

Safety Rails (defaults)

  • Max trade: $100
  • Daily limit: $500
  • Trades/day: 50
  • Auto stop-loss: 50%
  • Auto take-profit: 35%

Change via PATCH /api/sdk/user/settings.

Comments

Loading comments...