Skillv0.0.3

ClawScan security

Polymarket Candle Timeframe Mismatch Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:29 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, documentation, and declared requirements are consistent with a Polymarket trading strategy; required resources (SIMMER_API_KEY and simmer-sdk) match its stated purpose and there are no obvious incoherent or suspicious calls.
Guidance: This skill appears internally consistent for automated Polymarket trading. Before installing: 1) Treat SIMMER_API_KEY as a high-value credential — verify what permissions that API key grants in Simmer/Polymarket and use a minimally privileged key. 2) Start in paper mode (no --live) to validate behavior and parsing against live market names; the skill will perform real trades if you run with --live. 3) Inspect or lock down the 'simmer-sdk' dependency and ensure it is from a trusted source. 4) If you enable any optional remixes (Binance overlay, external price feeds), review those additions for network endpoints and credential use. 5) Reduce MAX_POSITION / other tunables when first running live to limit financial exposure.

Review Dimensions

Purpose & Capability: okName/description, SKILL.md, clawhub.json, and trader.py all describe a Polymarket Up/Down trading strategy. The skill requires SIMMER_API_KEY (trading authority) and lists 'simmer-sdk' as a pip dependency; both are appropriate and expected for a Simmer/Polymarket trading skill.
Instruction Scope: noteThe runtime instructions and trader.py focus on market discovery, interval parsing, consensus detection, and order placement; default behavior is paper trading. SKILL.md suggests optional remixes (e.g., overlaying Binance price feeds, volume weighting), which would expand external network usage if implemented, but these are optional enhancements and are not required for the core skill to run.
Install Mechanism: okNo arbitrary download/install URLs are present. The manifest declares a pip dependency on 'simmer-sdk' (standard package registry usage). There is no install script that pulls code from untrusted URLs or writes unexpected binaries.
Credentials: okThe only required secret-level environment variable is SIMMER_API_KEY (declared in SKILL.md and clawhub.json) which is appropriate for a trading client. Other environment variables are tunables (position sizes, thresholds) and not sensitive. The code reads only these declared variables.
Persistence & Privilege: okautostart/cron are false and 'always' is not set; the skill does not request forced persistent inclusion. Model invocation is allowed (the platform default) but there are no extra privileges requested.