Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Polymarket Onlyfans Trader
v1.0.2Trades Polymarket markets on OnlyFans using three structural edges — celebrity pipeline base-rate mispricing (retail ignores demographic base rates for who j...
⭐ 0· 85·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code (trader.py), SKILL.md, and clawhub.json are all about trading Polymarket markets for OnlyFans events, which is coherent with the skill's name and description. However, SKILL.md claims “default signal requires no external API,” while clawhub.json lists a required env SIMMER_API_KEY and a pip dependency on 'simmer-sdk' and trader.py imports SimmerClient. That mismatch between the prose and the manifest is an incoherence that should be clarified with the publisher.
Instruction Scope
The runtime instructions and the Python code focus on market classification, bias multipliers, and trade execution plumbing. They do not instruct the agent to read unrelated system files or exfiltrate data; network access is limited to the trading client (simmer-sdk) which is consistent with the stated trading purpose.
Install Mechanism
There is no arbitrary download URL or archive in the bundle (no high-risk install). The clawhub.json declares a pip dependency on 'simmer-sdk' which is a normal registry install pattern but is still a third-party package — you should verify the package's provenance and review its code or metadata before installation.
Credentials
The skill requires an API key for an external trading service (SIMMER_API_KEY) and exposes many SIMMER_* tunables for risk controls. Requesting one trading API key is proportionate to a trading bot, but note the top-level registry metadata provided earlier incorrectly said 'Required env vars: none' — that inconsistency is concerning. Ensure the API key scope is limited (paper trading vs live trading) and understand what the key can do (place/cancel orders, withdraw funds, view balances).
Persistence & Privilege
The skill is not marked always:true and autostart is false in clawhub.json. It is an automaton-managed entrypoint (entrypoint=trader.py) but does not appear to force persistent installation or elevated platform-wide privileges. Model invocation is enabled (default) which is normal for skills; there is no evidence it modifies other skills or system settings.
What to consider before installing
Before installing: 1) Confirm with the author why SKILL.md claims no external API while clawhub.json and trader.py require SIMMER_API_KEY and simmer-sdk. 2) Audit or verify the simmer-sdk package source (PyPI project page, GitHub repo) so you know what code will run. 3) Treat the SIMMER_API_KEY as a sensitive credential — supply a key with the minimum privileges possible (ideally a paper/sandbox key) and be prepared to rotate/revoke it. 4) Start in paper mode (the code documents a 'sim' venue) to confirm behavior before enabling live trades. 5) If you lack confidence in the publisher, ask for a signed/reproducible release or have someone review trader.py for any hidden network calls or dangerous actions; the mismatch in documentation vs manifest lowers trust and should be resolved first.Like a lobster shell, security has layers — review code before you run it.
latestvk97ac5qyvv7n027rm24nc58jbh846d3d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.