Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Polymarket Macro Asymmetric Longshot Trader
v1.0.1Systematically finds markets with huge asymmetric payoff -- markets priced at 2-10% where cross-category macro analysis suggests the REAL probability is 15-3...
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (longshot trader for Polymarket) matches the code: trader.py implements market discovery, macro scoring, and trade execution via a SimmerClient. However the top-level registry metadata reported 'Required env vars: none' while clawhub.json and trader.py require SIMMER_API_KEY and a simmer-sdk pip dependency. This mismatch is an incoherence that could mislead users about the credentials and packages needed.
Instruction Scope
SKILL.md and trader.py scope match: they locate markets, score macro support, and place trades (paper by default, live only with explicit --live). The instructions do not attempt to read unrelated system files or exfiltrate data. The SKILL.md is a template and invites adding additional signals (news, social), which is expected but broad — be aware added signal integrations could widen data access.
Install Mechanism
There is no separate install script in the top-level install section, but clawhub.json declares a pip dependency ['simmer-sdk']. Installing a package from PyPI is a normal moderate-risk action; confirm the simmer-sdk package provenance before installing. The lack of a clear install spec in the registry listing vs. presence in clawhub.json is an inconsistency to clarify.
Credentials
The code requires a single API credential SIMMER_API_KEY (declared in clawhub.json and used by trader.py). That is proportionate for a trading skill, but because the key permits real trading, the user must understand its privileges. The registry metadata incorrectly listed no required env vars, which could cause users to supply keys unknowingly. No other unrelated secrets or config paths are requested.
Persistence & Privilege
The skill is not always-enabled (always:false), autostart is false, and cron is null. The automaton entrypoint is trader.py but the default behavior is paper-mode; live trading requires an explicit --live flag. This limits unexpected persistent or autonomous live trading.
What to consider before installing
This skill appears to be a legitimate Polymarket longshot trading bot, but there are important inconsistencies you should resolve before installing:
1) Credentials: clawhub.json and trader.py require SIMMER_API_KEY. That key is used to instantiate SimmerClient and can enable real trades if the script is run with --live. Do not provide keys unless you understand the privileges and trust the simmer SDK provider.
2) Dependency: clawhub.json lists 'simmer-sdk' (pip). Verify the package source (PyPI name, author, and repository) before installing to avoid pulling a malicious package.
3) Metadata mismatch: the registry summary claimed no required env vars/install steps — this is incorrect. Ask the publisher to fix metadata or refuse installation until clarified.
4) Safe testing: run the skill only in paper mode (default sim venue) first. Inspect simmer-sdk code (or vendor it) and consider running within a restricted account that cannot execute high-value trades.
5) Review controls: confirm that live trades are only executed with an explicit flag/consent and review logging/telemetry the skill may send. If you lack comfort auditing the dependency or API key scope, do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk9772kkq5gdfvsxevsr2q0hvzd847eq9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.