ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kalshi Econ Seasonal Trader

v1.0.1

Trades CPI/inflation markets on Kalshi using documented seasonal patterns in CPI data. Energy costs spike summer, housing adjustments January. Requires SIMME...

0· 27·0 current·0 all-time
by@diagnostikon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's purpose (trade CPI markets via Simmer/Kalshi) aligns with the code and the declared pip dependency (simmer-sdk). However registry-level metadata earlier claimed 'Required env vars: none' while SKILL.md and clawhub.json require SIMMER_API_KEY and SOLANA_PRIVATE_KEY. This mismatch between registry metadata and included files is an incoherence that should be corrected.
Instruction Scope
SKILL.md and trader.py keep scope to market discovery, fair-value calculation, and trade execution. The instructions explicitly default to dry-run and require an explicit --live flag to execute real trades. Points to watch: the code attempts optional integration with a 'tradejournal' module and imports 'skills.tradejournal' as a fallback (this can access other skill modules if present). The skill also uses simmer_sdk.skill helpers (load_config/update_config) which read/write the skill's config path. It references and reads additional env vars (TRADING_VENUE, AUTOMATON_MAX) that aren't consistently declared in top-level metadata.
Install Mechanism
There is no arbitrary download/install; the dependency is a PyPI package (simmer-sdk). Using pip-installed packages is expected for this purpose, but PyPI packages have inherent supply-chain risk — verify the package publisher, release source, and review the simmer-sdk code before installing.
!
Credentials
Requesting SIMMER_API_KEY and SOLANA_PRIVATE_KEY is proportionate to a trading skill, but SOLANA_PRIVATE_KEY is highly sensitive and grants direct custody-authority for on-chain funds. Additionally, the code references other environment variables (TRADING_VENUE, AUTOMATON_MAX) that are not consistently declared in metadata; this incomplete declaration could surprise users. Only provide private keys after verifying code and limiting funds (use a low-balance/trial key).
Persistence & Privilege
The skill is not marked 'always:true' and autostart is false. It is set as an automaton-managed entrypoint but will not run on a schedule unless configured — autonomous invocation is allowed by default (normal). The skill updates/reads its own config but does not appear to modify other skills or system-wide settings.
What to consider before installing
Before installing or supplying credentials: - Do not hand over your main Solana private key. Use a dedicated, low-balance key for testing live trades. - Verify the simmer-sdk PyPI package and its GitHub repo (publisher, recent commits, and file contents) to ensure it is legitimate and doesn't exfiltrate secrets. - Inspect the full trader.py (the supplied file was truncated in the listing) for any network endpoints, hard-coded URLs, or code paths that transmit environment variables or files to third parties. Search for HTTP(s) requests, base64/hex encoding of env values, or subprocess calls that could leak keys. - Start in dry-run mode (default) and run locally to observe behavior and network I/O. - Confirm the discrepancy in registry metadata (registry claimed no required envs, but code and clawhub.json require SIMMER_API_KEY and SOLANA_PRIVATE_KEY) is resolved by the publisher. - If you plan to run live, limit MAX_POSITION_USD and max trades, and monitor logs & network traffic. If you can share the full trader.py and the simmer-sdk package source, I can re-evaluate with higher confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dav35j5neceprxrw5jyvafs847xns

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments