ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Macro Event Cascade Trader

v1.0.1

Trades 2nd and 3rd order effects from nearly-resolved Polymarket events. When a major geopolitical, crypto, or weather event resolves, downstream markets (oi...

0· 64·0 current·0 all-time
by@diagnostikon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description, declared dependency (simmer-sdk) and the single required secret (SIMMER_API_KEY) line up with a Polymarket trading skill. However, SKILL.md describes detecting 'nearly-resolved' triggers that resolve within 24 hours, while the code enforces a MIN_DAYS market-quality gate (default 3 days) that will exclude such 24-hour markets — this is a meaningful mismatch between claimed capability and actual behavior.
!
Instruction Scope
SKILL.md describes scanning markets, mapping cascades and trading downstream targets; the implementation matches that intent and defaults to paper trading. However the documentation and code disagree on the time-window for 'nearly-resolved' triggers (24h in SKILL.md vs MIN_DAYS gating in code). The instructions also suggest optional integrations (news, cross-venue checks) but those are not present by default — harmless but worth noting.
Install Mechanism
This is instruction+code only with no install spec that downloads arbitrary archives. The manifest declares a pip dependency on 'simmer-sdk' which is appropriate for a Simmer/Polymarket integration and is a traceable registry package rather than an unknown URL.
Credentials
The skill requires a single high-value credential (SIMMER_API_KEY) and several tunables exposed as env variables; these match the described trading purpose. No unrelated credentials or surprising config paths are requested.
Persistence & Privilege
always is false and autostart/cron are false/null, so the skill won't run or stay resident by default. Automaton is 'managed' with an entrypoint, which is expected for a runnable trading skill; nothing indicates it modifies other skills or requests elevated platform privileges.
What to consider before installing
This skill is plausibly what it says (a Polymarket cascade trader) and only asks for the expected Simmer API key, but there is a clear mismatch: SKILL.md says it looks for triggers resolving within 24 hours, while the code’s market-quality gate excludes markets resolving in fewer than MIN_DAYS (default 3). Before installing or using with real funds: 1) Run thoroughly in paper mode (default) and validate behavior for short-horizon triggers you care about. 2) If you want the 24-hour behavior, inspect and modify MIN_DAYS or the is_nearly_resolved/valid_market logic. 3) Scope the SIMMER_API_KEY with the least privilege possible and never put a live key in a place you can't rotate. 4) Only enable --live after you’ve audited the code paths for trade execution and tested fail-safes (max positions, spread gates, min trade). 5) If you need the optional news/cross-venue checks, add them explicitly (they are only suggested in SKILL.md, not implemented).

Like a lobster shell, security has layers — review code before you run it.

latestvk97903wfxkfnw64gfqpez0q0e1847932

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments