Skillv0.0.3

ClawScan security

Polymarket Macro Weekend Momentum Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:31 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and code line up with its stated purpose (Polymarket weekend momentum trading); the single required secret (SIMMER_API_KEY) and the simmer-sdk dependency are proportional for a trading skill and there are no install-time downloads or hidden endpoints in the provided files.
Guidance: This skill appears coherent for its stated trading purpose. Before installing: 1) Treat SIMMER_API_KEY as a high-value secret—only provide it if you trust the Simmer runtime and the skill author. 2) Run and review the trader in paper mode (default) to verify behavior before using --live. 3) Inspect or vet the 'simmer-sdk' package (the code will call out to that SDK) or run in an isolated/test account if possible. 4) Be cautious when enabling any automation/cron outside of the provided default because live trading carries financial risk.

Review Dimensions

Purpose & Capability: okThe skill is a Polymarket trading strategy: it requires a Simmer API key and declares a dependency on 'simmer-sdk' in clawhub.json. Those requirements are appropriate for executing simulated or live trades on Polymarket via a Simmer client. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope: okSKILL.md and the trader.py logic are scoped to discovering Polymarket markets, computing a BTC threshold ladder drift signal, sizing trades, and placing paper or live orders. The instructions do not tell the agent to read unrelated files or exfiltrate data. The skill defaults to paper trading and requires an explicit --live flag for real trades.
Install Mechanism: noteThere is no custom download/install script; the manifest lists a pip dependency ('simmer-sdk'), which is a standard package-install approach (moderate risk but expected for this use). No arbitrary URLs, extract operations, or unknown installers are present.
Credentials: okOnly SIMMER_API_KEY is declared as required and used to authenticate the SimmerClient; other runtime parameters are exposed as tunables via environment variables and default to safe values. The single high-value credential requested is justified by the trading functionality.
Persistence & Privilege: okautostart is false and cron is null; the skill does not request always: true. automaton.managed with an entrypoint is normal for a runnable skill but nothing indicates it will run automatically or change other skills' configs. The code attempts apply_skill_config but handles absence gracefully.