Skillv0.0.3

ClawScan security

Polymarket Ladder Nhl Hockey Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:27 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, declared dependencies, and required credential align with its stated purpose of finding and trading Polymarket NHL ladder arbitrage; the only noteworthy risks are the expected need for your SIMMER_API_KEY and an unvetted pip dependency (simmer-sdk) before running live trades.
Guidance: This skill appears internally consistent for Polymarket ladder arbitrage: before using it with real funds, (1) keep it in paper mode (default) and test thoroughly, (2) review the simmer-sdk package source and verify it is trustworthy, (3) treat SIMMER_API_KEY as sensitive — only provide a key with the minimum necessary permissions and consider using a segregated account/limited-balance API key for live testing, (4) inspect the remainder of trader.py (the file was truncated in the bundle listing) to confirm there are no hidden network endpoints or data-exfiltration paths, and (5) only run with --live once you understand the sizing and risk parameters configured in the tunables.

Review Dimensions

Purpose & Capability: okName/description claim to find monotonicity and spread-vs-total violations on Polymarket and trader.py implements market discovery, parsing, ladder grouping, checks, ranking, and trading via a SimmerClient. The required credential (SIMMER_API_KEY) and use of a Polymarket/sim venue are coherent with the trading purpose.
Instruction Scope: okSKILL.md and the code limit actions to market discovery, parsing, consistency checks, ranking, and executing trades via the Simmer SDK. The instructions and code read only expected environment variables/tunables and do not instruct reading unrelated system files, scanning user data, or calling unexpected external endpoints in the provided code excerpt.
Install Mechanism: noteThere is no custom download/install script in the bundle, but clawhub.json declares a pip dependency: simmer-sdk. Pip packages are common for this purpose, but they run code during install and their provenance should be verified (check the package source/repository and trustworthiness) before installing in a sensitive environment.
Credentials: okThe skill requires a single credential: SIMMER_API_KEY, which is appropriate for a trading client that executes orders. The script also reads tunables via environment variables (SIMMER_*), which are declared in clawhub.json. The credential is high-value (trading authority) but proportionate to the stated functionality.
Persistence & Privilege: okThe skill is not always-enabled, autostart is false, and cron is null. The automaton entrypoint is the script but default behavior is paper trading and nothing runs automatically until explicitly started; the skill does not appear to modify other skills or system-wide settings.