Skillv0.0.3

ClawScan security

Polymarket 24h Geopolitics Cluster Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:25 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and code are consistent with a Polymarket trading bot that uses the Simmer SDK and a single required SIMMER_API_KEY; nothing in the provided materials suggests hidden or unrelated credential access or unexpected install behavior.
Guidance: This skill appears internally consistent and behaves like a trading template: keep your SIMMER_API_KEY secret and test exclusively in paper mode (no --live) until you're confident in behavior. Review the full trader.py source and simmer-sdk documentation before providing the API key to confirm the SDK's network endpoints and permissions. If you or a third party add external data feeds (news, satellite, scraping), re-evaluate scope and credentials — those integrations can introduce new risks. Finally: run initial tests in an isolated environment, monitor outgoing network calls, and limit live trading caps before enabling --live.

Review Dimensions

Purpose & Capability: okName/description (arbitrage on Polymarket geopolitical clusters) match the requested items: a single SIMMER_API_KEY credential and the simmer-sdk pip dependency declared in clawhub.json. The requested env vars, tunables, and SDK dependency are proportionate to a trading skill.
Instruction Scope: noteSKILL.md and trader.py describe market discovery, parsing, clustering, and trade execution. The instructions default to paper trading and require an explicit --live flag for real trades. Note: the doc calls this a template and suggests remixing with external feeds (news, satellite) — if a user extends the skill to ingest arbitrary external data, scope and risk increase; the provided instructions themselves do not perform unrelated file reads or credential harvesting.
Install Mechanism: okNo arbitrary downloads or extract steps. The manifest declares a pip dependency on 'simmer-sdk' which is an expected package for interacting with the Simmer platform. No install URLs, shorteners, or personal servers were used.
Credentials: okOnly SIMMER_API_KEY is required (declared in clawhub.json and SKILL.md). Tunables are exposed via env vars for risk parameters. No unrelated secrets, cloud credentials, or config paths are requested.
Persistence & Privilege: okalways:false and autostart:false (cron:null) — the skill will not run automatically without user configuration. The automaton entrypoint is set but managed and not autostarting, which is expected for a trading bot template.