Back to skill
Skillv1.0.0
ClawScan security
Polymarket Sol Momentum · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 4, 2026, 9:21 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and runtime requirements are internally consistent with a Polymarket/Simmer trading strategy; nothing requested or installed is disproportionate or unrelated to that purpose.
- Guidance
- This skill appears to do what it says: use CoinGecko momentum to find mispriced Polymarket crypto markets and trade via your Simmer account. Before enabling it, make sure you understand and control the SIMMER_API_KEY you provide (use a sandbox/sim key if you want paper trading). Note that clawhub.json schedules the automaton to run every 15 minutes and passes --live to the script — if you do not want automatic live trades, remove or modify the automaton args/cron or set TRADING_VENUE to 'sim' and/or not provide a live SIMMER_API_KEY. Review the Simmer account limits and creator-fee tagging behavior (the skill tags trades and claims a 2% creator fee) so you understand fees and attribution. Finally, audit and test in dry-run/sim mode before committing real funds.
Review Dimensions
- Purpose & Capability
- okName/description (Polymarket momentum trader) aligns with the actual behavior: it fetches CoinGecko signals, uses a Simmer client to discover markets and (optionally) place trades, and requires a SIMMER_API_KEY and simmer-sdk. No unrelated clouds/credentials/binaries are requested.
- Instruction Scope
- noteSKILL.md and strategy.py limit actions to fetching CoinGecko data, calling Simmer APIs, scoring markets, and executing trades. The only notable operational scope item: clawhub.json / automaton is configured to pass --live to the entrypoint, meaning the automaton will run the script in live mode (real trades) when scheduled. This is documented in SKILL.md but is important to notice because the script's default behavior when run manually is dry-run; the automaton overrides that.
- Install Mechanism
- okNo external download or extract steps. Dependencies are standard pip packages (simmer-sdk, requests) declared in clawhub.json — a normal, low-risk install path for a Python skill.
- Credentials
- okOnly SIMMER_API_KEY is required as a secret; other environment variables are configuration (trade amount, threshold, venue). All requested env vars are appropriate for a trading automation and are declared in SKILL.md / clawhub.json.
- Persistence & Privilege
- noteThe skill is not forced always-on, but clawhub.json contains a cron schedule (*/15 * * * *) and an automaton entrypoint that passes --live. That gives the skill periodic, autonomous live-trading capability when the automaton is enabled. Autonomous invocation is normal for trading skills, but the combination of scheduled runs + --live means enabling this skill can cause real trades without manual CLI flags.