Skillv0.0.3

ClawScan security

Polymarket Space Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 28, 2026, 2:19 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (space-market trading) and uses a safe-by-default paper mode, but there are internal inconsistencies around required credentials and packaging that merit caution before installing.
Guidance: This skill appears to implement the stated Polymarket trading strategy and defaults to safe paper trading, but the registry metadata does not match the included files: clawhub.json and SKILL.md both require SIMMER_API_KEY while the top summary says no env vars are required. Before installing: 1) Verify the registry metadata is corrected so you know the skill truly needs SIMMER_API_KEY. 2) Do not put a live-capable trading key in your environment unless you intentionally want to enable live trades; use a sim/paper key or make sure your key is scoped/revocable. 3) Review the simmer-sdk package (source repository and recent versions) so you trust what the SDK does with your key. 4) If you want deeper assurance, provide the rest of trader.py (the file was truncated in the bundle) so the code paths that run on cron/automan can be fully reviewed. If the metadata mismatch is explained/fixed and simmer-sdk looks legitimate, this skill is coherent with its stated purpose; otherwise treat the metadata inconsistency as a risk signal.

Review Dimensions

Purpose & Capability: concernThe skill's files (SKILL.md and clawhub.json) require SIMMER_API_KEY and depend on the simmer-sdk Python package — appropriate for a trading agent — but the registry summary at the top of the evaluation incorrectly lists 'Required env vars: none' and 'Primary credential: none'. That metadata mismatch is an incoherence that should be resolved before trusting the registry listing.
Instruction Scope: okRuntime instructions and trader.py focus on market discovery, sizing, and order placement. The SKILL.md explicitly defaults to paper trading and requires an explicit --live flag for real USDC trades. Optional remix data sources (NASA APIs, TLEs, social media) are suggested but not required by the shipped code.
Install Mechanism: noteNo install script is provided (install-only via 'clawhub install'), which is low risk. The package requires the third-party pip dependency 'simmer-sdk' declared in clawhub.json; installing third-party packages is a normal risk vector — you should review simmer-sdk (source and reputation) before installing.
Credentials: concernThe code and SKILL.md legitimately require SIMMER_API_KEY and several SIMMER_* tunables (MAX_POSITION, etc.). These are proportionate to a trading skill. However, the top-level registry metadata incorrectly reports no required env vars, creating ambiguity. Also note the meaningful security consideration: a live-capable API key would allow real trades — the skill warns about this, but the user must ensure the key provided is appropriately scoped (prefer a paper/sim-only key for routine use).
Persistence & Privilege: okThe skill is not always-on (always:false) and autostart is false. It is automaton-managed with an entrypoint but will not start automatically until configured. Default model-invocation/autonomy settings are normal for skills.