Back to skill
Skillv0.0.3
ClawScan security
Polymarket 24h Player Prop Consistency Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 2:25 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, declared dependencies, and required credential (SIMMER_API_KEY) are coherent with its stated purpose of trading Polymarket player-prop mispricings; nothing requests unrelated secrets or system access.
- Guidance
- This skill appears internally consistent for trading Polymarket props via the Simmer SDK. Before installing: 1) Verify the simmer-sdk PyPI package and its GitHub repository (maintainer identity, recent activity, and source code) so you trust the code that will run with your API key. 2) Treat SIMMER_API_KEY as high-value: restrict its permissions if possible, use a test/paper key first, and rotate/revoke it if you stop using the skill. 3) Run the skill in paper/sim mode and review logs and outputs before enabling --live. 4) If you want extra assurance, scan or review the full trader.py and the simmer-sdk code for any hardcoded or external endpoints beyond Simmer/Polymarket and confirm no unexpected telemetry/exfiltration. 5) Note the small metadata mismatch (clawhub.json version differs from published version) — not necessarily malicious, but worth a quick author check.
Review Dimensions
- Purpose & Capability
- okName and description match what the code does: discover Polymarket player-prop markets, parse questions, group by player, and place trades via the Simmer SDK. The single required credential (SIMMER_API_KEY) is appropriate for a trading integration.
- Instruction Scope
- okSKILL.md gives focused trading instructions (market discovery, parsing, grouping, trade sizing). It explicitly defaults to paper trading and requires an explicit --live flag for real trades. The runtime code only reads the declared SIMMER_* environment variables and uses them as tunables; it does not instruct reading unrelated system files or other credentials.
- Install Mechanism
- noteThere is no custom installer in the skill bundle, but clawhub.json declares a pip dependency on 'simmer-sdk'. Using PyPI packages is a normal approach for this integration, but pip-installed packages are third-party code — validate the simmer-sdk package provenance (PyPI/GitHub) and review its code or trust model before granting the API key.
- Credentials
- okOnly SIMMER_API_KEY (a trading key) is required and the various SIMMER_* tunables are declared and used for risk control. The requested environment variables are proportional to a trading skill. The skill also documents SIMMER_API_KEY as a high-value credential.
- Persistence & Privilege
- okThe skill is not force-included (always:false), autostart and cron are false/null, and automaton entrypoint is declared but managed and not autostarting. This is a normal footprint for an optional trading skill and does not request elevated platform privileges.