Polymarket Social Trends Trader
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: polymarket-social-trends-trader Version: 0.0.3 The skill is a legitimate trading bot designed to execute trades on Polymarket based on social trend indicators and legislative calendars. The code in `trader.py` implements a transparent strategy using the `simmer-sdk` and includes safety features such as a default paper-trading mode (venue='sim') and risk-management tunables defined in `clawhub.json`. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found; the logic is entirely consistent with the stated purpose of the skill.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
In a reused runtime, a later action intended to be paper trading could potentially continue using a live trading client after a prior live run.
The client is a process-wide singleton. If initialized in live mode, later calls in the same process do not re-check or downgrade the venue when live=false, which weakens the stated control boundary for real-money trading.
_client: SimmerClient | None = None ... if _client is None: venue = "polymarket" if live else "sim" ... return _client
Use separate clients for sim and live venues, assert the current venue before every order, and require an explicit confirmation or fresh initialization for live trading.
A changed or compromised dependency could alter trading behavior or mishandle the API key.
The required SDK is not version-pinned or hash-pinned, and it is the component that will receive the API key and perform trading-related operations.
"requires": { "env": [ "SIMMER_API_KEY" ], "pip": [ "simmer-sdk" ] }Pin the SDK to a reviewed version, provide a lockfile or hash, and document the dependency provenance before using live funds.
A mis-scoped or exposed API key could allow trading activity on the connected account.
The skill authenticates with a Simmer API key and can select the Polymarket venue when live mode is enabled. This is purpose-aligned, but it is sensitive account authority.
api_key=os.environ["SIMMER_API_KEY"], venue=venue
Use a dedicated, revocable key with the minimum needed permissions, keep balances low, and monitor live trading logs.
If enabled, the skill may run trading logic as an automated process rather than a one-off manual command.
The skill is set up as a managed automaton, which is expected for a trading bot, but the manifest does not autostart it or schedule cron execution.
"cron": null, "autostart": false, "automaton": { "managed": true, "entrypoint": "trader.py" }Keep autostart disabled unless intentionally using the bot, start in paper mode, and use conservative position limits.