Back to skill
Skillv0.0.3
ClawScan security
Polymarket 48h Nba Game Structure Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 2:23 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it claims to detect cross-market mispricings on Polymarket and requests the single expected credential and SDK for that purpose; nothing in the files suggests unrelated access or data exfiltration.
- Guidance
- This skill appears to do what it says: parse Polymarket NBA markets and paper-trade by default. Before enabling live trading, ensure you (1) set SIMMER_API_KEY only on environments you trust, (2) test extensively in paper mode to validate parsing rules and edge cases, and (3) review tunables (min trade size, max position, thresholds) to limit real financial exposure. Note the pip dependency (simmer-sdk) will be installed — verify the package source if you require stricter supply-chain controls.
Review Dimensions
- Purpose & Capability
- okName/description (Polymarket NBA structural arbitrage) align with the code and metadata. The skill declares a single trading credential (SIMMER_API_KEY) and depends on simmer-sdk, both of which are reasonable and expected for interacting with Polymarket via the Simmer platform.
- Instruction Scope
- noteSKILL.md and trader.py describe market discovery, parsing, grouping, consistency checks, and trade execution. The skill defaults to paper trading and requires an explicit --live flag for real trades. The instructions ask the agent to provide the trading signal (alpha) — be aware that giving an agent authority to generate or modify live trade signals can lead to real financial actions if --live is used.
- Install Mechanism
- noteclawhub.json lists a pip dependency (simmer-sdk). Installing a package from PyPI is moderate-risk but expected for an SDK. There is no opaque download URL or archive extract. (Minor metadata inconsistency: top-level registry summary stated 'No install spec' while clawhub.json includes pip requirements; this is not harmful but worth noting.)
- Credentials
- okOnly SIMMER_API_KEY is required as a credential (declared and used in trader.py). Other tunables are numeric environment variables (non-secrets). No unrelated secrets or credentials are requested.
- Persistence & Privilege
- okThe skill is not force-enabled (always: false) and autostart/cron are false/null. The code calls apply_skill_config if available but does not modify other skills or system-wide config. Autonomous invocation is allowed (platform default) but not combined with unusual privileges.