ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kalshi Econ Fed Link Trader

v1.0.1

Cross-market strategy that uses CPI bin prices to estimate CPI level, then adjusts Fed rate market positions via a sensitivity model. High CPI means Fed less...

0· 29·0 current·0 all-time
by@diagnostikon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (cross-market trading using CPI bin prices to trade Fed markets) align with its declared requirements: a Simmer API key and a Solana private key for live execution. The pip dependency (simmer-sdk) is expected for a Simmer-integrated trader.
Instruction Scope
SKILL.md and trader.py describe CPI bin parsing, sensitivity modeling, and trade execution; instructions are scoped to trading. However, front-matter in SKILL.md lists only SIMMER_API_KEY while other sections and clawhub.json require both SIMMER_API_KEY and SOLANA_PRIVATE_KEY (minor inconsistency). The code attempts to import an optional 'tradejournal' from either an external package or a local skills.tradejournal module — importing a 'skills' package could access other skill modules if present, so confirm what that module does. Also, the runtime file provided in the prompt was truncated; I could not inspect the remainder of trader.py to verify there are no network calls or hidden endpoints beyond expected trading APIs.
Install Mechanism
There is no external arbitrary download/install spec. clawhub.json declares a pip dependency on 'simmer-sdk', which matches the SKILL.md and code import. This is a normal install pattern for a Python SDK; review the simmer-sdk package source before using live credentials.
Credentials
Requested environment variables (SIMMER_API_KEY and SOLANA_PRIVATE_KEY) are proportionate to a trading skill and are explicitly documented. Both are high-value credentials (especially the Solana private key). The skill also reads AUTOMATON_MAX optionally; no unrelated secrets or broad platform credentials are requested. The documentation inconsistency about required envs is worth fixing before install.
Persistence & Privilege
The skill is not marked 'always: true' and automaton.autostart is false. It declares an entrypoint for managed automaton execution but won't autostart on install. Autonomous invocation by the agent is allowed (platform default) but not elevated here.
Scan Findings in Context
[pre-scan-injection] expected: Static pre-scan reported no injection signals. That matches expectations for a trading skill but does not substitute for a full code audit.
What to consider before installing
What to consider before installing: - Do not provide your real SOLANA_PRIVATE_KEY or SIMMER_API_KEY until you audit the full code and the simmer-sdk dependency. The Solana private key is high-value and can transfer funds. - The prompt-provided trader.py was truncated; ensure you (or someone you trust) review the entire trader.py and any code in simmer-sdk for network endpoints, telemetry, or credential exfiltration before enabling live trading. - Use the default dry-run mode first (the skill states live trades only run with --live). Test thoroughly with paper/dry-run and small sandbox credentials or accounts. - If you decide to go live: limit financial exposure (set MAX_POSITION_USD small, low max trades, and conservative slippage), use a dedicated account with minimal funds, and rotate keys if you later remove the skill. - Confirm what optional integrations do (e.g., tradejournal or skills.tradejournal) — they may call external services or read local files; disable or inspect them if you don't need them. - Verify clawhub.json/ SKILL.md inconsistencies (SKILL.md front-matter omits SOLANA_PRIVATE_KEY) are resolved so required credentials are clear. If you want, I can: (a) scan the remainder of trader.py (provide full file), (b) fetch and summarize the simmer-sdk package source, or (c) identify exact code locations where credentials are read/used.

Like a lobster shell, security has layers — review code before you run it.

latestvk978fwpn00qfzkkpg6h1wnm421846scg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments