Skillv0.0.3

ClawScan security

Polymarket Micro Cluster Momentum Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 28, 2026, 2:34 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and declared requirements are internally consistent for a Polymarket micro trading bot — it requires only a Simmer API key and the simmer-sdk and defaults to paper trading — but you should still verify the external simmer-sdk package and the unknown publisher before running live.
Guidance: This skill appears to do what it says: it uses simmer-sdk with your SIMMER_API_KEY to discover Polymarket markets and place trades. Before enabling live trading: 1) verify the simmer-sdk PyPI package and its GitHub repo (review code and recent releases) to reduce supply-chain risk; 2) keep the skill in paper mode until you validate behavior and tunables; 3) treat SIMMER_API_KEY as a high-value secret (rotate/revoke if compromised); 4) confirm you trust the unknown publisher (no homepage provided); and 5) run the skill in a sandboxed environment and review network activity if you need higher assurance.

Purpose & Capability: okName/description, SKILL.md, clawhub.json, and trader.py all align: the skill discovers Polymarket 5-minute Up/Down markets, detects cross-coin clusters, and places micro trades through the Simmer SDK. The single required credential (SIMMER_API_KEY) maps to the declared trading authority.
Instruction Scope: okSKILL.md and trader.py limit actions to market discovery, parsing, cluster detection, and trade execution via the Simmer client. There are no instructions to read unrelated files, exfiltrate env vars, or call unexpected endpoints in the provided code/instructions.
Install Mechanism: noteThis is an instruction-only skill with a pip dependency (simmer-sdk) declared in clawhub.json. Installing a third-party PyPI package is a normal moderate-risk step; verify the simmer-sdk package and its GitHub repository before installing, since supply-chain risks exist for unverified packages.
Credentials: okThe only required credential is SIMMER_API_KEY (trading authority), which is proportional to the skill's function. Other environment variables referenced are tunables with defaults and are declared in clawhub.json; the code reads them for risk controls.
Persistence & Privilege: okautostart/cron are false and always is not set; the skill does not request permanent forced inclusion. The automaton entrypoint is provided but autostart=false means it won't run automatically until enabled — appropriate for a trading bot.