Back to skill
Skillv0.0.3
ClawScan security
Polymarket Candle Harami Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 2:29 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, declared environment variables, and runtime instructions are coherent with its stated purpose (detecting harami patterns and trading via the Simmer SDK); the single required credential (SIMMER_API_KEY) is expected for trading and the package dependency is reasonable — no hidden endpoints or unrelated privileges were found.
- Guidance
- This skill appears internally consistent and performs only the trading-related actions it describes. Before installing: (1) Treat SIMMER_API_KEY as high-value — use a key with limited funds/permissions for testing and never expose your main trading account. (2) Confirm the simmer-sdk package on PyPI (or your package source) is trustworthy and review its network behavior. (3) Keep autostart disabled and verify that any platform-run automation will default to paper mode (the code defaults to venue='sim' unless --live is used). (4) If you plan to run live, test extensively in paper mode and set conservative tunables (min trade, max position). If you want higher assurance, inspect the full trader.py (complete file) and the simmer-sdk code before enabling live execution.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, clawhub.json, and trader.py all consistently implement a Polymarket 5-minute harami detection + execution workflow. Required items (SIMMER_API_KEY, simmer-sdk) are proportionate to trading functionality.
- Instruction Scope
- okRuntime instructions and the Python code limit activity to discovering markets, parsing questions, detecting patterns, applying sizing gates, and submitting trades via the SimmerClient. The skill does not read unrelated system files or request unrelated environment variables.
- Install Mechanism
- okNo arbitrary download URLs or extract steps. clawhub.json declares a pip dependency on 'simmer-sdk', which is a normal, traceable package install for a trading SDK. Recommend reviewing the simmer-sdk package before install.
- Credentials
- noteOnly SIMMER_API_KEY is required (declared in SKILL.md and clawhub.json), which is appropriate for a trading skill. Note: this key is high-value (trading authority). The skill also reads tunable env vars (SIMMER_*), which match its configuration.
- Persistence & Privilege
- notealways:false and autostart:false reduce surprise runs. The clawhub.json includes automaton.managed with entrypoint 'trader.py' (normal for a runnable skill). Because the agent can be invoked autonomously (platform default), ensure SIMMER_API_KEY and live-mode flags are controlled to avoid unintended live trades.