Skillv0.0.3

ClawScan security

Polymarket Food Agriculture Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 28, 2026, 2:19 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and declared requirements align with its stated purpose (paper-first Polymarket trading via the Simmer SDK); nothing in the package requests unrelated credentials, odd install sources, or unexpected system access.
Guidance: This skill appears coherent and implements a paper-first Polymarket trading strategy. Before installing: 1) Keep SIMMER_API_KEY secret and understand it's a high-value credential — only supply keys with the minimum privileges you trust (or use a key that cannot execute live trades if possible). 2) Test thoroughly in paper mode (the default) and review how you would enable live mode (--live) to avoid accidental real trades. 3) Audit the 'simmer-sdk' dependency if you require greater assurance (pip packages run code on install/runtime). 4) Be aware that autonomous agent invocation could execute this skill; rely on autostart=false and platform controls to prevent unintended runs or live trades.

Purpose & Capability: okName/description describe a Polymarket trader and the package requires only the Simmer SDK and a single SIMMER_API_KEY credential, which is appropriate for a trading integration. The included logic (market discovery, conviction sizing, harvest-cycle bias) matches the stated trading strategy.
Instruction Scope: okSKILL.md and trader.py stay within trading scope: they describe market discovery, sizing, and execution. The skill defaults to paper trading and documents the --live flag for real trades. Instructions do not ask the agent to read unrelated system files or additional environment variables beyond those declared.
Install Mechanism: okNo custom install/download steps are present; the manifest declares a pip dependency on 'simmer-sdk' (a reasonable, traceable package for this purpose). There are no URLs, extract steps, or unusual installers in the package.
Credentials: okOnly SIMMER_API_KEY (the trading API key) and configurable SIMMER_* tunables are required. That single high-value credential is proportionate to a trading skill. The code reads only these env vars; nothing else is requested.
Persistence & Privilege: okalways:false and autostart:false; automaton entrypoint exists but defaults to paper mode. The skill does not request elevated platform privileges or modify other skills. Autonomous invocation is allowed by default on the platform but is not combined here with any other concerning privileges.