ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kalshi F1 Elimination Trader

v1.0.4

Trades F1 Drivers Championship markets on Kalshi by identifying mathematically eliminated drivers still priced above zero. Sells NO on eliminated drivers for...

0· 47·0 current·0 all-time
by@diagnostikon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's code and SKILL.md implement a Kalshi/Simmer trading bot that detects mathematically eliminated F1 drivers and (optionally) places trades. Requiring SIMMER_API_KEY and SOLANA_PRIVATE_KEY is coherent with that purpose. However, the registry summary at the top of the submission incorrectly listed 'Required env vars: none' and 'Primary credential: none', which conflicts with both SKILL.md, clawhub.json, and trader.py that require credentials. This metadata mismatch reduces trust and should be resolved before install.
Instruction Scope
SKILL.md and trader.py primarily describe market discovery, elimination detection using static standings, and trade execution via the simmer-sdk. The skill defaults to dry-run and only executes real trades when run with --live, which is appropriate. A notable behavior: the bundled default signal uses static championship standings (a template) — the skill suggests remixing with live F1 API data for real-time detection, so out-of-the-box results may be stale. The provided trader.py in the prompt was truncated; the missing portion could contain additional behavior, so review the full file before running.
Install Mechanism
No opaque download/install is present in the bundle; dependencies are standard (simmer-sdk on PyPI). clawhub.json also lists simmer-sdk as a pip requirement. There are no downloads from arbitrary URLs or archive extraction steps in the provided materials.
!
Credentials
The skill requires SIMMER_API_KEY (API credential for Simmer) and SOLANA_PRIVATE_KEY (base58 private key used for signing on Solana). Both are logically required to place live trades, but the Solana private key is a high-value secret that grants on-chain spending authority. The skill also reads optional environment values (e.g., TRADING_VENUE, AUTOMATON_MAX_BET). Requesting a private key is proportionate for live trading, but it raises real risk — ensure you supply a limited-funds wallet and confirm you trust both the simmer-sdk package and the skill's code.
Persistence & Privilege
The skill is not configured as always:true and autostart is false in clawhub.json. disable-model-invocation is not set (default false), which is normal. The skill requests no system-wide config changes beyond its own config management via simmer-sdk utilities.
What to consider before installing
Key things to check and do before installing or providing secrets: - Do not paste your primary Solana private key: create a throwaway wallet with a small amount of USDC for testing and use that for live runs if you must. - Verify the full trader.py source (the copy in the prompt was truncated). Look specifically for any network calls, hard-coded endpoints, or code that transmits data to unexpected servers. - Confirm simmer-sdk is the official package you expect (review the PyPI project and the GitHub repo linked in SKILL.md) and audit its code if you plan to run live. - Prefer to run in dry-run mode first (python trader.py) and validate the markets discovered and the logic before ever passing --live. - Because the registry metadata conflicted with the files, ask the publisher/owner to correct the package metadata so required credentials are explicit in the platform UI. - If you decide to run live, limit exposure: use a wallet with minimal funds, set conservative tunables (low max position), and monitor/log all actions. Rotate keys if you suspect anything unexpected. - If you are not comfortable auditing code or managing keys, do not provide SOLANA_PRIVATE_KEY or run with --live.

Like a lobster shell, security has layers — review code before you run it.

latestvk979b6zy7dsepvw51t7p8g41an84akmq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments