Back to skill
Skillv0.0.3
ClawScan security
Polymarket 48h Player Prop Consistency Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 2:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and declared requirements are consistent with its stated purpose (trading Polymarket player props via the Simmer SDK); it asks only for the expected Simmer API key and defaults to paper trading.
- Guidance
- This skill appears coherent and behaves as described, but take usual precautions before enabling live trading: (1) keep autostart disabled and test thoroughly in paper mode first, (2) only supply SIMMER_API_KEY if you trust the Simmer SDK and the Simmer/Polymarket service, (3) review the simmer-sdk package source on GitHub/PyPI yourself (or run it in an isolated environment) to confirm it does only expected API calls, (4) limit deposited funds and use a dedicated API key with minimal permissions if possible, and (5) verify that using such trading software complies with your regional laws and platform terms.
Review Dimensions
- Purpose & Capability
- okName/description (Polymarket player-prop trader) matches the code and metadata: it imports simmer_sdk, looks up player prop markets, analyzes cross-stat divergence, and places trades. The declared dependency (simmer-sdk) and required credential (SIMMER_API_KEY) are appropriate for a trading integration.
- Instruction Scope
- okSKILL.md and trader.py instruct the agent to discover markets, parse questions, group by player, analyze divergences, and trade via the SimmerClient. There are no instructions to read unrelated files, exfiltrate arbitrary data, or call unexpected external endpoints in the provided code. Live trading requires an explicit --live flag and the README emphasizes paper mode by default.
- Install Mechanism
- okThere is no special install script; the package declares a pip dependency on 'simmer-sdk' (PyPI + GitHub referenced in SKILL.md). This is a standard package install vector and is proportionate to the skill's needs. No downloads from obscure URLs or archive extraction are present.
- Credentials
- okOnly SIMMER_API_KEY (the trading API key) and a set of tunable SIMMER_* env vars are used. Those tunables are documented in clawhub.json and used in the code. No unrelated secrets or system credentials are requested.
- Persistence & Privilege
- okautostart is false, cron is null, and always:false — the skill does not request forced or persistent execution. disable-model-invocation is the platform default and not a unique privilege here. The code calls apply_skill_config if available (harmless in Simmer runtime).