Skillv0.0.3

ClawScan security

Polymarket Macro Inflation Chain Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:32 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, declared requirements, and runtime instructions are internally consistent with a Polymarket trading strategy that uses a Simmer SDK; the requested credentials and behavior align with its stated purpose.
Guidance: This skill appears coherent for a Simmer/Polymarket trading integration. Before installing: 1) Only provide a SIMMER_API_KEY you trust; treat it as trading authority and consider limiting funds/permissions on the Simmer side if possible. 2) Keep the default paper mode and test behavior thoroughly before using --live. 3) Review simmer-sdk (the pip dependency) and pin a known-good version to reduce supply-chain risk. 4) Check tunables (MIN_TRADE, MAX_POSITION, etc.) to sensible conservative values during testing. 5) If you plan to run autonomously, monitor logs and rate-limit activity; autonomous invocation is normal but increases impact if a bug exists. If you want, I can scan the full trader.py for any network calls beyond SimmerClient or produce a short checklist of what to audit in the simmer-sdk usage.

Review Dimensions

Purpose & Capability: okName/description (Polymarket macro chain trader) align with the actual code and declared requirements. The skill only requires a Simmer API key and SIMMER_ prefixed tunables; uses simmer-sdk to enumerate markets and execute trades. No unrelated cloud credentials, system paths, or unrelated binaries are requested.
Instruction Scope: okSKILL.md and trader.py focus on market classification, chain logic, sizing, and trading. Instructions emphasize paper trading by default and only perform live trades with an explicit --live flag. The doc and code do not instruct reading unrelated system files, scanning shell history, or sending data to third-party endpoints beyond the Simmer client.
Install Mechanism: okNo install spec that pulls arbitrary binaries or archives. clawhub.json lists a pip dependency (simmer-sdk), which is appropriate for a Simmer-integrated trader. No downloads from untrusted URLs or extract operations are present.
Credentials: okOnly SIMMER_API_KEY is required (declared) plus many SIMMER_ tunables (declared in clawhub.json) for position sizing and filters. These environment variables are proportionate to a trading skill; there are no unrelated secrets (AWS, GCP, SSH keys, etc.).
Persistence & Privilege: okThe skill is not force-installed (always:false), autostart is false, and cron is null. It is user-invocable and can be run autonomously per platform defaults, which is expected for a trading automaton. It does not request elevated system-wide persistence or modify other skills' configurations.