ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kalshi Eth Merge Momentum Trader

v1.0.5

Trades ETH price markets on Kalshi using the post-merge deflation thesis. ETH burns ~0.5% of supply annually via EIP-1559, creating structural upward pressur...

0· 46·0 current·0 all-time
by@diagnostikon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (trader.py) and SKILL.md implement a Kalshi/Simmer trading strategy and require an API key plus a Solana private key for live trading — which is coherent for a trading skill that signs on-chain transactions. However the registry metadata at the top of the submission declares no required env vars, while SKILL.md and clawhub.json require SIMMER_API_KEY and SOLANA_PRIVATE_KEY. That metadata mismatch is inconsistent and should be corrected/clarified.
Instruction Scope
SKILL.md and the script limit behaviour to market discovery, fair-price computation, and optional live execution (requires explicit --live). Default is dry-run. The instructions reference only relevant external data (Simmer SDK, optional ultrasound.money as a remix idea). A minor scope concern: SKILL.md's header metadata lists only SIMMER_API_KEY but the later 'Installation & Setup' and Required Credentials sections add SOLANA_PRIVATE_KEY — inconsistent guidance could lead users to provide a private key unintentionally.
Install Mechanism
No installer that downloads arbitrary code is present; this is instruction + code. The dependency simmer-sdk is declared (PyPI/GitHub links are provided). That is a standard package dependency; users should still review the simmer-sdk source before installing, but the install mechanism itself is not unusual.
!
Credentials
The skill requires two high-value credentials: SIMMER_API_KEY (expected) and SOLANA_PRIVATE_KEY (private key for signing live trades). Requiring a Solana private key is proportionate if the skill signs transactions on Solana/DFlow, but the requirement is sensitive and must be explicit and justified. The submission's top-level registry metadata omitting these env vars increases risk (users may not expect to hand over a private key). No unrelated credentials are requested, but the SOLANA_PRIVATE_KEY should only be provided from an account limited to small funds or testnet keys.
Persistence & Privilege
The skill does not request always:true, autostart is false, and model invocation is not disabled (normal). The code uses simmer_sdk.load_config/update_config which may create per-skill config files, which is expected. Nothing in the package attempts to change other skills or global agent settings.
What to consider before installing
This skill appears to implement the trading strategy it claims, but there are a few things to verify before installing or supplying credentials: - Metadata mismatch: the registry metadata claims no required env vars, but SKILL.md and clawhub.json require SIMMER_API_KEY and SOLANA_PRIVATE_KEY. Ask the publisher to correct the metadata so requirements are obvious. - Private key risk: SOLANA_PRIVATE_KEY is a high-value secret. Only provide a private key if you understand the account it controls. Prefer using a restricted/test account or a tiny funding account for evaluation. Do not reuse a primary custody key. - Inspect simmer-sdk: the skill depends on simmer-sdk from PyPI/GitHub. Review that package's source (or vendor it) before installing so you know where network calls go and how credentials are used. - Dry-run first: run python trader.py (dry run) locally and confirm no live network calls are made and that outputs are as expected. Only run with --live after auditing code and the SDK. - Ask questions: if you cannot confirm why a Solana private key is needed for Kalshi trades, request clarification from the author/maintainer (links in SKILL.md point to simmer.markets and a GitHub repo). If you want, I can (1) summarize the exact places in trader.py that read env vars and call external APIs, or (2) produce a short checklist of safe steps to evaluate simmer-sdk before installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk972hchwtb1y41zxefz7p4r9ah846t5n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments