ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kalshi Eth Btc Beta Trader

v1.0.8

Trades ETH price markets on Kalshi by exploiting the 1.3x beta relationship between ETH and BTC. When BTC odds shift, ETH markets lag behind -- this skill ca...

0· 65·0 current·0 all-time
by@diagnostikon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
stale
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the code: trader.py uses simmer-sdk to discover Kalshi markets and execute trades based on an ETH-vs-BTC beta. Requesting a Simmer API key and a Solana private key is consistent with a bot that can execute on-chain orders via the Simmer SDK. However, the registry summary at the top claims 'Required env vars: none' while SKILL.md and clawhub.json both require SIMMER_API_KEY and SOLANA_PRIVATE_KEY — an internal metadata mismatch.
Instruction Scope
SKILL.md and trader.py confine runtime actions to market discovery, signal computation, and trade execution via the simmer-sdk. The skill defaults to dry-run and only executes real trades with an explicit --live flag. No instructions in SKILL.md ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism
This is instruction-only with a dependency on the public PyPI package 'simmer-sdk' (declared in SKILL.md and clawhub.json). There are no downloads from arbitrary URLs or archive extraction steps in the package files provided.
!
Credentials
The skill requires high-value secrets (SIMMER_API_KEY and SOLANA_PRIVATE_KEY) which are plausible and proportional for a live trading bot. The concern is the inconsistency between the registry's 'Required env vars: none' and the SKILL.md/clawhub.json that declare the credentials. That metadata mismatch could lead users to install without noticing they must supply private keys. Also verify why both an API key and a private key are needed and whether the Simmer SDK actually requires direct private-key signing (rather than server-side execution).
Persistence & Privilege
The skill is not always-on (always:false) and autostart is false. The automaton entrypoint is set so the platform can run it, but it won't start automatically on install. It does not request system-wide settings or modify other skills.
What to consider before installing
This package mostly looks like what it claims — a trading skill that needs an API key and a Solana private key to place live trades. Before installing: (1) do not provide live credentials unless you trust the simmer-sdk publisher and have reviewed its source; (2) verify why a Solana private key is required (are trades signed locally or sent to a third-party service?); (3) fix or ask the publisher about the metadata inconsistency (the registry claims no required env vars while SKILL.md and clawhub.json require two secrets); (4) test in dry-run only and review logs, and (5) audit the simmer-sdk package code (and any network endpoints it calls) if you plan to run with --live or store your private key on the machine. If you are uncomfortable auditing the SDK, avoid providing SOLANA_PRIVATE_KEY or SIMMER_API_KEY for live use.

Like a lobster shell, security has layers — review code before you run it.

latestvk976eae59zsc5zddszzjc7gp85847shg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments