Skillv0.0.3

ClawScan security

Polymarket 48h Cross Asset Sync Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:23 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, documentation, and declared requirements are coherent with a Polymarket trading bot: it only needs the SIMMER_API_KEY and the simmer-sdk, defaults to paper trading, and does not access unrelated credentials or system paths.
Guidance: This skill appears internally consistent for automated Polymarket trading, but take these precautions before installing: (1) Treat SIMMER_API_KEY as a high-value secret — do not store it in shared or public places. (2) Test thoroughly in paper mode (default) and review logs; the code defaults to 'sim' but live trades occur if the script is run with --live. (3) Review the simmer-sdk package source/version before installation (pin a vetted version). (4) If you want to prevent accidental real trades, disable autonomous invocation for this skill or require an explicit human confirmation step before allowing --live execution. (5) Verify tunables (max position, min trade, thresholds) to match your risk tolerance.

Review Dimensions

Purpose & Capability: okName/description (Polymarket cross-asset sync trader) match the actual code and declared requirements: clawhub.json and SKILL.md require SIMMER_API_KEY and the Python simmer-sdk, and trader.py implements market discovery, grouping, signal logic, sizing, and trade execution via SimmerClient.
Instruction Scope: okSKILL.md and trader.py instruct the agent to discover markets, parse questions, compute group consensus, detect outliers, and place trades. There are no instructions to read unrelated files, access other environment variables, or transmit data to unexpected endpoints beyond the Simmer API client.
Install Mechanism: noteThis is an instruction-only skill with no install script, but clawhub.json lists a pip dependency on 'simmer-sdk'. That is expected for interacting with Simmer, but using unpinned pip packages has the usual supply-chain risk (review the simmer-sdk package/source before trusting).
Credentials: okOnly SIMMER_API_KEY is required (plus tunable envs for sizing). Requesting a single trading API key is proportionate to the stated purpose. The README explicitly labels it high-value and the code only reads these env vars.
Persistence & Privilege: noteautostart is false and always:false, so nothing runs automatically. However, model invocation is allowed by default and the agent (or an automaton) could run the script with a --live flag to perform real trades if SIMMER_API_KEY is present. Consider gating autonomous invocation or requiring manual confirmation for live mode.