Back to skill
Skillv0.0.3
ClawScan security
Polymarket 24h Weather Distribution Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 28, 2026, 2:25 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it claims (trading Polymarket via a Simmer SDK using a single trading API key), but there are metadata inconsistencies (declared requirements vs files) and packaging/installation information that don't fully line up — review before installing and provide the API key only after vetting the SDK and runtime.
- Guidance
- This skill's code and instructions match its stated trading purpose and it only needs one secret (SIMMER_API_KEY). However: 1) The registry metadata is inconsistent (it claims no required env vars / no install spec while clawhub.json and SKILL.md require SIMMER_API_KEY and list a pip dependency). Treat that as sloppy packaging — confirm the platform will require the API key prompt and that the pip dependency will be installed from PyPI. 2) Before providing SIMMER_API_KEY, review the simmer-sdk source (or vendor) and the SimmerClient usage to ensure it does only expected API calls; run the skill in paper mode (default) to validate behavior. 3) Keep autostart disabled and do not enable live trading until you’re comfortable; rotate the API key if you test with a real key. 4) If you need higher assurance, ask the author/owner for a provenance link or sign-off for the simmer-sdk package (commit/tag) and a full audit of the trader.py file (complete untruncated source).
Review Dimensions
- Purpose & Capability
- noteThe skill's code and SKILL.md align with the stated purpose: it reconstructs temperature-bin distributions and uses the Simmer SDK to paper- or live-trade Polymarket markets. Requesting a Simmer trading API key (SIMMER_API_KEY) and the simmer-sdk dependency is coherent with trading functionality. However, the top-level registry summary claimed 'Required env vars: none' while both clawhub.json and SKILL.md require SIMMER_API_KEY — a metadata mismatch that should be corrected.
- Instruction Scope
- okRuntime instructions and the Python code stick to market discovery, parsing, detection of sum/monotonicity violations, and trade execution via the SimmerClient. The SKILL.md explicitly warns that the default is paper trading and that live trading requires a --live flag. The instructions do not ask the agent to read unrelated system files or secrets beyond the declared SIMMER_* tunables.
- Install Mechanism
- noteThere is no high-risk download host or obfuscated installer. The dependency is a PyPI package ('simmer-sdk') and the SKILL.md points to the project's GitHub and PyPI. However, the registry summary indicated 'No install spec — instruction-only', while clawhub.json declares a pip dependency; that inconsistency should be clarified. Installing a third-party SDK from PyPI is reasonable for this skill but you should review that package's source before granting credentials.
- Credentials
- noteFunctionality requires one high-value secret: SIMMER_API_KEY, which is appropriate for a trading skill. Tunables (SIMMER_MAX_POSITION, thresholds, etc.) are non-sensitive and declared in clawhub.json. The inconsistency between registry metadata (which incorrectly lists no required envs) and the files that require SIMMER_API_KEY is the main concern; ensure the platform will surface the API-key requirement before enabling the skill.
- Persistence & Privilege
- okThe skill does not request 'always: true' and autostart is false; autonomous invocation is allowed (default) but that is normal for skills. The automaton entrypoint is trader.py but cron/autostart are disabled by default. No evidence that the skill attempts to modify other skills or system-wide settings.