ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kalshi Econ Nowcast Trader

v1.0.1

Trades CPI bin markets on Kalshi using the Cleveland Fed CPI Nowcast to compute fair bin probabilities via a normal distribution model. Requires SIMMER_API_K...

0· 26·0 current·0 all-time
by@diagnostikon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement a Kalshi trading strategy using the Simmer SDK and (optionally) Solana for live execution; requesting SIMMER_API_KEY and SOLANA_PRIVATE_KEY is coherent with that purpose. However, the upstream registry metadata claimed no required env vars while the distributed files (SKILL.md, clawhub.json, trader.py) do require these credentials — a discrepancy that suggests sloppy packaging or metadata omission.
Instruction Scope
The instructions and code focus on market discovery, pricing bins using a normal nowcast model, and trading via the simmer-sdk. I did not see instructions to read unrelated system files or to transmit data to unknown external endpoints; network calls appear to be to Simmer/Kalshi-related APIs. The code will import optional trade-journal modules and uses simmer_sdk.skill.load_config (which may read/write skill config), which is expected for an automatable trading skill.
Install Mechanism
There is no custom download/install URL or arbitrary archive in the registry, and the dependency is a PyPI package (simmer-sdk) with a linked GitHub repo. That is a reasonable install mechanism, but you should review the simmer-sdk source before granting live credentials because it will handle API calls and possibly signing/trading actions.
Credentials
The skill requests two high-value secrets: SIMMER_API_KEY (trading API) and SOLANA_PRIVATE_KEY (base58 private key for live Solana interactions). These are proportionate to a trading skill, but they are sensitive: the Solana private key grants custody-level access to funds. Additional tunable env vars are reasonable. The earlier registry metadata omitting these env requirements is inconsistent with the files and installation manifest.
Persistence & Privilege
The skill is not marked always:true and autostart is false; the automaton is managed but will not run automatically until enabled. Default mode is dry-run; live trades require an explicit --live flag. This limits unexpected persistent/automatic trading behavior, which is appropriate.
What to consider before installing
This skill implements a legitimate-seeming Kalshi trading strategy and needs two sensitive credentials (SIMMER_API_KEY and SOLANA_PRIVATE_KEY). Before installing or providing keys: 1) Review the simmer-sdk source (PyPI/GitHub) to confirm there are no unexpected network calls or key exfiltration. 2) Keep to dry-run first; do not pass --live until you've audited behavior. 3) Provide least-privilege credentials where possible (testnet or read-only API keys) and rotate keys after testing. 4) Note the registry metadata omission of required env vars — treat that as a packaging quality issue and verify all required variables and permissions before trusting the skill with real funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b0avyr9qfed6djyc59k2d25847ab5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments