Skillv0.0.3

ClawScan security

Polymarket 48h Geopolitics Cluster Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:24 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, declared dependencies, and required environment access align with its stated purpose (automated Polymarket trading using a Simmer API key); nothing in the package appears to request unrelated credentials or system access.
Guidance: This skill appears coherent for automated trading on Polymarket via the Simmer platform. Before installing: (1) Only provide SIMMER_API_KEY if you trust the Simmer integration and understand the key grants trading authority; keep funds limited. (2) Test extensively in paper/sim mode (default) and inspect or run the code in a safe environment before using --live. (3) Review the simmer-sdk package and its network behavior. (4) Keep autostart disabled until you are confident in behavior and tunables. (5) Rotate API keys and limit permissions if possible; never reuse high-privilege keys across unrelated tools.

Review Dimensions

Purpose & Capability: okName/description = automated trading on Polymarket. The package requires SIMMER_API_KEY and depends on 'simmer-sdk' (clawhub.json). The Simmer client usage in trader.py matches the described trading functionality and tunables. Requested resources are proportional to a trading bot.
Instruction Scope: okSKILL.md describes market discovery, cluster detection, and trading; the included trader.py implements parsing, clustering, and client interactions. Instructions default to paper trading and only perform live trades with an explicit --live flag. SKILL.md and code do not direct the agent to read unrelated system files or external personal endpoints.
Install Mechanism: noteThis is an instruction-only skill with one code file, and clawhub.json declares a pip dependency ('simmer-sdk'). No arbitrary downloads or extract steps are present. Installing a third-party Python package is expected for this purpose but increases runtime surface compared with a pure-instruction skill.
Credentials: okOnly SIMMER_API_KEY is declared as required. The code reads several tunable env vars with safe defaults; those are reasonable for risk control. The single required credential is directly related to trading authority and is therefore proportionate — but it is high-value and should be guarded.
Persistence & Privilege: okautostart: false and cron: null mean the skill does not run automatically out-of-the-box. The automaton entrypoint is set (trader.py) but managed; autonomous invocation is allowed by platform default and is not itself a problem. The package does not set always:true or request system-wide config changes.