Skillv0.0.3

ClawScan security

Polymarket Resolution Lattice Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:23 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, declared dependencies, and environment requirements are consistent with its stated purpose of trading Polymarket using cross-market logical constraints; the only high-value secret it requests is the expected SIMMER_API_KEY for trading access.
Guidance: This skill appears internally consistent, but treat the SIMMER_API_KEY as a high-value secret. Recommendations before enabling live trading: 1) Run the skill in paper/sim mode first to validate behavior. 2) Inspect the simmer-sdk package source (and its network behavior) — ensure it is the legitimate Simmer client from the referenced GitHub/PyPI. 3) Create a least-privilege API key (if Simmer supports scoped keys) or use a key with limited funds and rotate it after testing. 4) Because the skill owner and homepage are not provided, exercise extra caution: review trader.py fully (it appears to only use SimmerClient and not exfiltrate other data) and confirm your platform's automaton settings before granting runtime privileges or scheduling automatic runs.

Review Dimensions

Purpose & Capability: okThe name/description (cross-market lattice trading on Polymarket) matches the included trader.py implementation: market discovery, parsing for temporal/prerequisite relations, scoring, and trade execution via SimmerClient. Required dependency (simmer-sdk) and the single declared credential (SIMMER_API_KEY) are coherent with a trading integration.
Instruction Scope: okSKILL.md describes a template strategy and safety defaults (paper mode by default). The runtime instructions and trader.py limit actions to market discovery, scoring, and trading via the Simmer SDK; there are no instructions to read unrelated files, gather extra environment secrets, or post data to unexpected external endpoints beyond the Simmer/Polymarket integration.
Install Mechanism: noteThere is no separate install script, but clawhub.json declares pip dependency 'simmer-sdk', which is appropriate for a Python-based Simmer client. This is moderate-risk only insofar as you should vet the simmer-sdk package source before granting it API access.
Credentials: okThe skill requests one high-value environment variable (SIMMER_API_KEY) which is necessary for trading. All other runtime configuration comes from SIMMER_* tunables (declared in clawhub.json) and are read consistently by the code. The code does not read other undeclared environment variables or config paths.
Persistence & Privilege: notealways:false and autostart:false (no automatic live execution). automaton.managed is true with entrypoint trader.py (standard for a managed trading skill). disable-model-invocation is false (normal); this combined with the trading API key means an agent could be authorized to trade if started live — but the skill defaults to simulated venue and requires explicit --live to perform real trades.