Simul8or Trader
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could place simulated trades that affect the user's Simul8or account and public trading profile without the user reviewing each action.
The skill gives the agent broad discretion to trade and documents direct buy/sell API calls, but does not define approval gates, trade limits, allowed symbols, or stop conditions.
"You decide what to watch, when to trade, and what strategy to use." ... "curl -s -X POST https://simul8or.com/api/v1/agent/AgentTrade.ashx"
Use explicit constraints before enabling it, such as approved symbols, maximum trades per day, position limits, and whether the agent must ask before placing trades.
The trader may continue running and making decisions in the background after the user forgets about it or restarts the machine.
The setup creates both a boot-persistent PM2 process and a recurring OpenClaw cron job every five minutes, but does not include clear cleanup, expiry, or pause instructions.
"pm2 save && pm2 startup" ... "openclaw cron add --name \"Simul8or Trader\" --every \"5m\" --session isolated"
Only install if persistent autonomous trading is intended, and document how to disable the cron job, stop PM2, remove startup hooks, and revoke the API key.
The installed package would run with the user's local permissions, and in the PM2 configuration it could persist across restarts.
The skill asks users to install global npm packages, including the Simul8or streamer, but no package source, version pin, lockfile, or code is included in the reviewed artifacts.
"npm install -g simul8or-trader pm2"
Verify the npm package provenance, pin a trusted version, inspect its source if possible, and avoid installing it globally unless necessary.
Anyone or anything with access to that key could act as the user's Simul8or bot within the API's permissions.
The skill uses a Simul8or API key for account actions. This is purpose-aligned, but the registry metadata declares no required credential or environment variable.
"SIMUL8OR_API_KEY": "your-api-key-here" ... "X-Simul8or-Key: $SIMUL8OR_API_KEY"
Store the key securely, use a simulator-only key, revoke it when no longer needed, and expect the skill to have trading authority on that account.
If the file becomes stale or is modified by something else, the agent's future trading decisions could be influenced.
The skill intentionally persists price history locally and tells the agent to reuse it for future trading decisions.
"Price History (YOUR MEMORY)" ... "Log to ~/price-history.jsonl — it's your memory between ticks"
Keep this memory file scoped to market data only, review it periodically, and clear it if the agent starts making decisions from bad history.