Btc Sprint Stack
Security checks across malware telemetry and agentic risk
Overview
This is a real-money crypto/prediction-market trading bot with scheduled automation and broad credential/wallet handling, so it should be reviewed carefully before installation.
Install only if you intentionally want an unattended BTC/Polymarket trading bot. Keep it in dry-run first, disable the cron automaton unless needed, use isolated low-value wallet/API credentials, avoid broad local OAuth profiles, and review the learned-parameter files before enabling live trading.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled with a wallet/private key, the bot may grant trading approvals for funds and then use them for live market activity.
The skill can use a wallet private key path to link a Polygon wallet and set USDC.e approvals. The artifacts do not show a bounded approval amount or a separate user confirmation step for this high-impact wallet permission.
Called on startup when WALLET_PRIVATE_KEY is present in the environment. ... client.link_wallet() ... client.set_approvals()
Do not provide WALLET_PRIVATE_KEY or enable wallet approvals unless you understand the exact approval scope; use a limited wallet and keep the bot in dry-run until manually verified.
Installing or configuring this skill could cause a local OAuth profile or broad Google Cloud credential to be used for model calls.
The LLM layer can read a local Codex OAuth token file and can request Google ADC credentials with the broad cloud-platform scope, which is more sensitive than a simple dedicated LLM API key.
CODEX_AUTH_PATH = Path.home() / '.codex' / 'auth.json' ... google.auth.default(scopes=['https://www.googleapis.com/auth/cloud-platform'])
Prefer dedicated, least-privilege LLM API keys. Avoid using local Codex or Google ADC credentials unless you have isolated and scoped those accounts appropriately.
The bot may continue running on a schedule after installation rather than only when you manually invoke it.
The package declares a managed background automaton that runs every 15 minutes. That persistence is material because the same skill can perform live trading when configured.
"cron": "*/15 * * * *", "automaton": { "managed": true, "entrypoint": "main.py" }Disable the managed cron/automaton unless you explicitly want unattended operation, and verify it remains in dry-run before allowing any scheduled live trading.
If live mode is enabled, the agent can place real Polymarket trades through Simmer.
Live trade submission is central to the stated trading-bot purpose and is paired with dry-run behavior and risk limits, but it is still irreversible financial/account mutation.
if live: trade = client.trade(market_id=market_id, side=side, amount=amount, venue=venue, ...)
Keep dry-run enabled until you have reviewed logs, limits, wallet approvals, and market selection; use small isolated funds if enabling live mode.
Installation may pull current versions of trading, wallet, auth, and HTTP libraries, and users may not notice the credential requirements from the registry summary alone.
The skill depends on unpinned packages and runtime credentials that are not reflected in the top-level registry requirements shown in the supplied metadata.
"pip": ["simmer-sdk", "eth-account", "google-auth", "requests"], "env": ["SIMMER_API_KEY", "LLM_API_KEY"]
Pin and review dependencies before installation, and make registry metadata match the actual env vars and packages required.
Stored learning data could change thresholds or behavior across runs, including scheduled runs.
The skill persists learned parameters and rule suggestions that can influence later trading cycles. The behavior is disclosed and bounded to tunables, but users should review it because it affects future decisions.
Merge learned tunables from `data/live_params.json` before env overrides. ... `data/pending_rules.json` — pending and applied rule suggestions
Regularly inspect or reset data/live_params.json and data/pending_rules.json, especially before enabling live trading.