Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Kalshi Crypto Volatility Skew Trader
v1.0.5Trades Bitcoin price bin markets on Kalshi by comparing market-implied volatility to BTC historical ~60% annualized vol using a lognormal model. Requires SIM...
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Kalshi Bitcoin bin-market volatility-skew trader) align with the included code: trader.py uses simmer_sdk to discover Kalshi markets, compute implied vs historical vol, and optionally execute trades. However the registry metadata at the top of the evaluation incorrectly lists 'Required env vars: none' while the SKILL.md, clawhub.json and trader.py clearly require SIMMER_API_KEY and SOLANA_PRIVATE_KEY — an incoherence that should be corrected.
Instruction Scope
SKILL.md instructions and the script stay within trading scope: market discovery, model computation, and trade execution. The instructions explicitly default to dry-run and require an explicit --live flag to trade. There is no evidence in SKILL.md or visible code of unrelated data collection (no shell history reading or filesystem scraping).
Install Mechanism
This is instruction/code-only with no opaque remote installer. Dependencies are a PyPI package (simmer-sdk) declared in clawhub.json and SKILL.md, which is a reasonable dependency for a trading SDK. You should still review the simmer-sdk package source before trusting it with live credentials as the SKILL.md itself recommends.
Credentials
The skill requires two high-value secrets: SIMMER_API_KEY (API authority) and SOLANA_PRIVATE_KEY (base58 private key for signing live trades). Those are proportionate to live trading functionality, but they are highly sensitive. The registry metadata falsely reported no required env vars — that mismatch increases risk because users may not expect to supply a private key. Recommend using restricted accounts, read-only API keys for dry-run, or managed signing (if available) instead of pasting a full private key into an env var.
Persistence & Privilege
always:false and autostart:false; the skill is not forced into every agent run. Automaton entrypoint is provided but autostart is disabled. The skill can be invoked autonomously by the agent (default) which is normal for skills; this is not combined with 'always:true' or other unusual privileges.
What to consider before installing
This skill appears to implement the trading strategy it claims, but take care before providing live credentials. Actionable steps:
- Do not supply SOLANA_PRIVATE_KEY or SIMMER_API_KEY to run dry-run/testing — the skill supports dry-run mode (no trades) by default; use that first.
- Before giving live credentials, review the simmer-sdk package source (linked in SKILL.md) and the rest of trader.py (the file shown is truncated) to ensure no hidden network exfiltration or unexpected behavior.
- Prefer using a limited/restricted account or signing service rather than a full private key in an environment variable; if you must use a key, create a dedicated account with minimal funds and withdrawal limits.
- Note the registry metadata is inconsistent (it claims no required env vars). Treat that as a red flag and ask the publisher to correct the metadata.
- Test thoroughly in paper mode, monitor logs, and limit MAX_POSITION_USD while validating behavior. If you need higher assurance, request a complete code audit or a signed/reproducible release of simmer-sdk and this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk9796ghbw1ww58vn8b1ysnzak9847yp0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.