Back to skill
Skillv1.0.1
ClawScan security
Polymarket Copy Size Conviction Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 2:34 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, dependencies, and runtime behavior are consistent with a Polymarket copy-trading strategy that uses portfolio concentration as its signal; no hidden exfiltration or unrelated privileges were found, though there are minor metadata inconsistencies you should note before use.
- Guidance
- This skill appears to do what it says: it scrapes predicting.top and Polymarket data, computes concentration signals, and uses the Simmer SDK to paper- or live-trade. Before installing: 1) Confirm you are comfortable granting SIMMER_API_KEY to this skill and check what permissions that API key has (it can place orders when live). 2) Start in paper mode (default) and review logs/output to verify behavior. 3) Note the metadata inconsistency: the registry summary omitted required env vars but clawhub.json requires SIMMER_API_KEY and a pip dependency (simmer-sdk). 4) Review Simmer account settings and revoke the API key if you later decide to stop using the skill. If you need me to, I can point out the exact lines in trader.py where network calls and Simmer usage occur.
Review Dimensions
- Purpose & Capability
- okThe skill implements a copy-trading strategy that fetches leaderboards and on-chain activity, computes portfolio concentration, and uses a Simmer client to paper- or live-trade. The declared runtime dependency (simmer-sdk) and the required API key (SIMMER_API_KEY in clawhub.json) are appropriate for that purpose. Minor inconsistency: top-level registry metadata earlier listed no required env vars, but clawhub.json requires SIMMER_API_KEY.
- Instruction Scope
- okSKILL.md and trader.py limit actions to: scraping predicting.top leaderboard, calling Polymarket data API, computing concentrations, and interacting with the Simmer service. The instructions and implementation do not read unrelated system files or credentials. Note: SKILL.md documents many SIMMER_* tunables but does not explicitly mention the required SIMMER_API_KEY; the code does require it to instantiate the SimmerClient.
- Install Mechanism
- noteThe registry summary claimed 'no install spec', but clawhub.json lists a pip dependency (simmer-sdk). Using pip to install a single SDK is proportionate for this skill. No downloads from arbitrary URLs or extracted archives were found.
- Credentials
- okThe only sensitive credential required is SIMMER_API_KEY (declared in clawhub.json) which is proportionate because the skill can place trades via the Simmer API. Tunables are exposed as SIMMER_* environment vars as expected. Again, top-level metadata omitting SIMMER_API_KEY is an inconsistency to be aware of.
- Persistence & Privilege
- okThe skill is not always:on, not autostarted, and allows user invocation; autonomous model invocation is permitted (platform default) but the skill does not request elevated system privileges or modify other skills. It can execute live trades only when explicitly run in live mode (and with a valid SIMMER_API_KEY).