Back to skill
Skillv0.0.3
ClawScan security
Polymarket Micro Coin Lag Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 2:35 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, declared dependency (simmer-sdk), and required credential (SIMMER_API_KEY) are coherent with its stated purpose (micro-trading Polymarket 5-min Up/Down markets) and default to paper trading, but you should review the third‑party simmer-sdk and the full trader.py before providing real credentials or enabling live mode.
- Guidance
- This package appears internally consistent for Polymarket micro‑trading: it requires only SIMMER_API_KEY and the simmer-sdk, and it defaults to paper trading. Before enabling live trading or supplying your API key: 1) review the full trader.py source (ensure there are no hidden network calls, telemetry, or secrets exfiltration beyond the Simmer API), 2) inspect the simmer-sdk project/release on PyPI/GitHub to confirm it's legitimate and up-to-date, 3) run the skill in sim/paper mode to verify behavior and logs, 4) keep autostart disabled until you’re confident, and 5) if you do provide SIMMER_API_KEY, use a least‑privileged or ephemeral key and rotate it after testing. The skill owner/homepage is not provided in the registry metadata — that reduces provenance, so exercise extra caution.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, clawhub.json and trader.py all describe Polymarket micro-trading and declare a single trading API dependency (simmer-sdk) plus SIMMER_API_KEY. The requested resources (SDK + trading API key + tunables) match the stated capability.
- Instruction Scope
- okSKILL.md runtime instructions and the visible trader.py logic focus on discovering Polymarket Up/Down markets, grouping 5‑min windows, detecting BTC lead signals and placing trades. The skill defaults to simulation mode and the instructions do not ask the agent to read unrelated system files or unrelated credentials.
- Install Mechanism
- okNo raw URL downloads or archive extraction; the manifest lists a normal PyPI dependency (simmer-sdk). This is a standard install pattern for a Python trading client and is proportionate to the task.
- Credentials
- noteOnly one required secret is declared: SIMMER_API_KEY, which is appropriate for a trading integration. Tunables are non-secret. Treat SIMMER_API_KEY as a high-value credential and only provide it when you trust the package and code.
- Persistence & Privilege
- okautostart is false and always is false. The automaton entrypoint is trader.py but it will not run by default. The skill does not request elevated platform privileges or permanent forced inclusion.