ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Bundle Crypto Hourly Trader

v1.0.1

Trades crypto hourly Up/Down markets when sub-interval consensus disagrees with the hourly price on Polymarket. BTC/ETH/SOL 5-min interval markets within the...

0· 87·0 current·0 all-time
by@diagnostikon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is clearly a Polymarket hourly Up/Down trading bot and its code (trader.py), SKILL.md, and clawhub.json consistently use the Simmer SDK and an API key for trading. However the top-level registry metadata in the skill header claims 'Required env vars: none' while clawhub.json and SKILL.md require SIMMER_API_KEY — an incoherence that should be resolved.
Instruction Scope
SKILL.md and the code focus on market discovery, bundle construction, signal detection, and trade execution. The skill defaults to paper trading and requires an explicit --live flag for real trades. The runtime instructions do not request unrelated files, system credentials, or external endpoints beyond the trading SDK.
Install Mechanism
There is no custom install script (instruction-only with a code file). clawhub.json lists a pip dependency on 'simmer-sdk' (PyPI + GitHub links provided). This is a normal dependency for a trading integration, but you should verify the simmer-sdk package/project is legitimate and that your platform's installer will fetch from PyPI rather than an untrusted URL.
!
Credentials
The skill requests a single high-value credential (SIMMER_API_KEY) and multiple tunable env vars for sizing/risk; these are proportionate to a trading bot. The concern is the manifest inconsistency: some metadata claims no required env vars while the actual files require SIMMER_API_KEY. Because SIMMER_API_KEY grants trading authority, treat it as high-risk and only provide it after verifying the SDK and source.
Persistence & Privilege
always:false and autostart:false; the automaton is 'managed' with an entrypoint but won't run automatically. disable-model-invocation is not set (normal). The skill does not request system-wide config changes or other skills' credentials.
What to consider before installing
Before installing: (1) Understand that SIMMER_API_KEY is a high-value credential (it can place real USDC trades). Only provide it after you verify the simmer-sdk project (check its PyPI page and GitHub repo for recent maintenance and trustworthy code). (2) Run the skill in paper/sim mode first (the default) and only use --live after manual review and small tests. (3) The package declares a pip dependency; ensure your environment will install it from PyPI (not a custom URL). (4) Note the metadata mismatch: the registry header claims no required env vars while clawhub.json and SKILL.md require SIMMER_API_KEY — ask the publisher to correct this before trusting automation. (5) If you want extra assurance, review the full trader.py (the distributed file is large) or run it in an isolated environment with a revoked/test API key and monitor network calls and actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk9756nq8r3sz0w5jmvmnk63125847gss

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments