Skillv0.0.3

ClawScan security

Polymarket 24h Nba Game Structure Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:25 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, declared dependency, and environment variable requests are coherent with a Polymarket/NBA arbitrage trader and do not request unrelated credentials or perform unexplained actions.
Guidance: This skill appears internally consistent, but it can place real trades when run with --live and given a valid SIMMER_API_KEY. Before enabling live mode: 1) run extensively in paper mode to validate behavior; 2) ensure the SIMMER_API_KEY has least privilege and is not reused for other services; 3) pin and review the simmer-sdk package version and review its implementation or source to understand what the SDK can do; 4) review/adjust the tunables (max position, thresholds) to limits you are comfortable with; 5) rotate the API key after testing and do not grant it to untrusted environments. If you will allow autonomous invocation, consider additional safeguards (e.g., require manual confirmation for live trades or restrict live mode via environment/role checks).

Review Dimensions

Purpose & Capability: okName and description match the code and metadata: the package requires a Simmer SDK, asks for SIMMER_API_KEY, groups NBA markets and looks for cross-market inconsistencies. The declared pip dependency (simmer-sdk) and the use of SimmerClient in trader.py are appropriate and proportionate to the stated trading purpose.
Instruction Scope: okSKILL.md and trader.py describe only market discovery, parsing, consistency checks, ranking, sizing and trade execution. The instructions explicitly default to paper trading and require an explicit --live flag for real trades. The runtime instructions do not request unrelated files, credentials, or system paths.
Install Mechanism: okNo install script is included; the manifest only lists a pip dependency (simmer-sdk). There are no downloads from arbitrary URLs or archive extraction steps. This is a low-risk, standard Python dependency.
Credentials: okOnly SIMMER_API_KEY is required and used by trader.py to instantiate SimmerClient. That single credential is appropriate for a trading skill. Tunables are exposed as environment variables for risk parameters (also declared in clawhub.json) and align with the skill's functionality.
Persistence & Privilege: okautostart is false and always is not set; the skill is user-invocable. The automaton entrypoint is trader.py (expected). Autonomous invocation (model invocation enabled) is the platform default and not by itself concerning; there is no always:true or evidence the skill modifies other skills or system-wide config.