Back to skill
Skillv0.0.3
ClawScan security
Polymarket Legal Regulatory Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 2:20 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and code are coherent with its stated purpose (automated Polymarket trading via a Simmer SDK) and there are no unexplained environment or network accesses in the provided files.
- Guidance
- This skill appears internally consistent: it needs only SIMMER_API_KEY and the simmer-sdk package to operate and defaults to paper trading unless you pass --live. Before enabling live trading, verify the authenticity of the simmer-sdk package (PyPI/GitHub repo), store SIMMER_API_KEY securely, test extensively in paper mode, set conservative SIMMER_MAX_POSITION and other tunables, and confirm autostart remains disabled. If you need extra assurance, inspect the remainder of trader.py (untruncated) for any unexpected network endpoints or token handling and verify the simmer-sdk client methods used (find_markets, create_order, get_market_context) do only what you expect.
Review Dimensions
- Purpose & Capability
- okThe skill is a Polymarket trading agent and the code and SKILL.md require only a Simmer API key and the simmer-sdk Python package, which aligns with trading functionality. The listed tunables, keywords, and precedent_bias logic are consistent with the stated legal/regulatory trading purpose.
- Instruction Scope
- okSKILL.md and trader.py confine behavior to market discovery, signal computation, and trade execution via SimmerClient. The skill defaults to paper trading and the SKILL.md does not instruct collection of unrelated system files, secrets, or transmission to third-party endpoints outside the Simmer SDK.
- Install Mechanism
- noteNo custom install script; clawhub.json declares a pip dependency on simmer-sdk (PyPI/GitHub links provided). Pip packages carry standard supply-chain risk but are appropriate and expected for this skill's purpose.
- Credentials
- okOnly SIMMER_API_KEY is required and is justified (trading authority). The code reads only SIMMER_* tunables in addition to SIMMER_API_KEY; no unrelated credentials or high-privilege environment access are requested.
- Persistence & Privilege
- okautostart is false and always is false. automaton.managed is true with an entrypoint (normal for a managed skill), but nothing in the manifest forces automatic live trading. The skill can be invoked autonomously by the agent (platform default) — not a red flag by itself.