Skillv0.0.3

ClawScan security

Polymarket 48h Sports Line Curve Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:23 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, declared dependencies, and runtime instructions align with a Polymarket O/U curve-arbitrage trader; required credentials and install steps match the stated purpose and there are no obvious incoherent or unrelated privileges requested.
Guidance: This skill appears internally consistent: it needs a single trading API key (SIMMER_API_KEY) and a PyPI SDK (simmer-sdk) which match its purpose. Before installing: 1) Treat SIMMER_API_KEY as high-value — keep it in a secure secrets store and do not reuse a key with wider privileges. 2) Run only in paper mode first (default) and review logs and simulated trades to verify behavior. 3) If you enable live trading, start with conservative tunables (small SIMMER_MAX_POSITION, low concurrency) and rotate the API key after initial tests. 4) Vet the simmer-sdk PyPI package and its homepage/repos for trustworthiness and recent maintenance. 5) If you need deeper assurance, inspect the remainder of trader.py (trade-execution code paths) and any network calls inside simmer-sdk to confirm no unexpected endpoints or credential forwarding occur.

Review Dimensions

Purpose & Capability: okName/description claim trading Polymarket O/U curve violations. The skill requires SIMMER_API_KEY and the simmer-sdk Python package (declared in clawhub.json and SKILL.md) which is appropriate for a trading client; no unrelated credentials, binaries, or config paths are requested.
Instruction Scope: okSKILL.md describes market discovery, curve construction, signal thresholds, and a clear default to paper trading; trader.py implements parsing, curve building, violation detection, and uses SimmerClient for market and trade interactions. Instructions do not ask the agent to read unrelated files or exfiltrate data. Live trading requires an explicit --live flag.
Install Mechanism: okNo install spec included in the package itself; clawhub.json lists a pip dependency on simmer-sdk (PyPI). Pulling a public PyPI package for a trading SDK is expected for this purpose and is proportionate; no arbitrary URL downloads or archive extraction are present.
Credentials: okOnly SIMMER_API_KEY is required (declared). The code also reads tunable parameters from environment but these are optional and used for risk limits. No unrelated secrets (cloud keys, tokens) are requested.
Persistence & Privilege: okautostart is false and always is not set; the skill will not run automatically unless explicitly started or configured. The code does call apply_skill_config when available, but this is limited to the Simmer runtime and is not a cross-skill/system modification.