ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Resolution Lattice Trader

v1.0.1

Trades Polymarket markets by detecting logical inconsistencies between related contracts such as earlier-vs-later deadlines and prerequisite-vs-downstream ev...

0· 92·0 current·0 all-time
by@diagnostikon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, SKILL.md, clawhub.json, and trader.py all describe a Polymarket trading bot that uses Simmer (simmer-sdk) and an API key to place trades; that capability justifies the simmer SDK dependency and a trading API key. However, the top-level registry metadata in the provided listing said "Required env vars: none" while clawhub.json and SKILL.md explicitly require SIMMER_API_KEY — this mismatch is incoherent and should be resolved.
Instruction Scope
SKILL.md and trader.py keep runtime behavior within the trading domain (market discovery, scoring, and trades). The skill defaults to paper trading and only performs live trades with an explicit --live flag. There are no instructions to read unrelated files or exfiltrate data to third-party endpoints outside the Simmer/Polymarket flow.
Install Mechanism
There is no explicit install spec file, but clawhub.json declares a pip requirement for 'simmer-sdk' (a PyPI package with a linked GitHub repo). Using a PyPI dependency is expected for this purpose, but the absence of an explicit platform install spec alongside the pip listing is a minor inconsistency to verify with the platform installer.
!
Credentials
The skill requires a single high-value credential, SIMMER_API_KEY, which is proportionate for a trading bot. The concern is the manifest inconsistency: some metadata claims no required env vars while clawhub.json and SKILL.md require SIMMER_API_KEY — that divergence could confuse users and automated installers and should be corrected. No other unrelated credentials are requested.
Persistence & Privilege
always:false and autostart:false are set; the skill does not request permanent forced inclusion or elevated platform privileges. It does attempt to call apply_skill_config() when available (to load tunable overrides), which is normal for Simmer-managed skills.
Scan Findings in Context
[pre-scan:none] expected: No regex-based warnings were detected in the provided scan. That does not substitute for manual review of the full source; the provided trader.py is truncated in the listing (ends with '[truncated]'), so the scanner may have missed later code.
[uses-pypi-dependency:simmer-sdk] expected: The skill depends on 'simmer-sdk' via clawhub.json. This is expected for a Simmer/Polymarket trading integration; verify the PyPI package and GitHub repo are legitimate and up-to-date.
What to consider before installing
Before installing or running this skill: - Verify the SIMMER_API_KEY requirement: the skill needs this single high-value credential; only provide it if you trust Simmer Markets and you intend to allow trading. Prefer a scoped API key and be ready to rotate it. - Confirm the manifest: the top-level metadata you were shown claims no env vars, but clawhub.json and SKILL.md require SIMMER_API_KEY — ask the publisher to fix this inconsistency. - Review the full trader.py: the provided source is truncated in your listing; request and inspect the complete file to ensure there is no unexpected behavior later in the code (e.g., network calls to unknown hosts, credential exfiltration, shell execs). - Audit the simmer-sdk package: check the PyPI page and linked GitHub repo for legitimacy and recent activity. - Run in paper mode first: the skill defaults to sim/paper trading; exercise it in sim mode and monitor actions before enabling --live. - Limit exposure: run the skill in an isolated environment and do not grant broader credentials or access than necessary. If anything else in the full source or the publisher's pages looks different from the SKILL.md, treat that as a red flag. If you provide the full trader.py (untruncated), I can re-evaluate and raise the confidence of this assessment.

Like a lobster shell, security has layers — review code before you run it.

latestvk970b2e794eej5gnxk15ptsj5d8466qf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments