Polymarket Supply Chain Trader
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: polymarket-supply-chain-trader Version: 0.0.3 The skill is a legitimate trading bot designed to interact with Polymarket prediction markets related to supply chain and logistics. It features a transparent implementation in `trader.py` that includes safety mechanisms such as defaulting to paper trading (simulation mode) and requiring an explicit `--live` flag for financial transactions. No indicators of data exfiltration, malicious execution, or harmful prompt injection were found in `SKILL.md` or the supporting configuration files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If live mode is enabled, the bot may trade in lower-liquidity or nearer-resolution markets and hold more positions than the user expected from the documentation.
The safety documentation advertises stricter trading controls than the runnable defaults. In a live-capable financial bot, this can mislead users about liquidity, spread, resolution-time, and concentration limits.
SKILL.md: "Min market volume | $5,000", "Max bid-ask spread | 10%", "Min days to resolution | 7", "Max open positions | 5"; trader.py/clawhub.json defaults include MIN_VOLUME/"default": 1000, MAX_SPREAD/"default": 0.12, MIN_DAYS/"default": 0, MAX_POSITIONS/"default": 8.
Do not run live until the documented risk limits are reconciled with the code/tunables; verify all Simmer tunables in the UI and start with paper trading.
Once live mode is intentionally enabled, the agent can place real prediction-market trades according to its strategy and configured limits.
The skill is designed to execute trades through an agent workflow. That is purpose-aligned, and paper trading is the default, but live mode is a high-impact action controlled by a coarse command-line flag rather than per-trade review.
"The skill handles all the plumbing (market discovery, trade execution, safeguards)" and "Real trades only execute when `--live` is passed explicitly."
Use paper mode first, review every tunable, and only pass --live in an isolated environment with funds you are willing to risk.
A live-capable key could allow real USDC trades if the bot is run with live mode enabled.
The skill requires a sensitive API key with trading authority. This is expected for the stated purpose and no credential leakage is shown, but the credential can authorize financial actions.
trader.py: "api_key=os.environ[\"SIMMER_API_KEY\"]"; SKILL.md: "`SIMMER_API_KEY` | Yes | Trading authority".
Use the least-privileged or paper-trading key available, keep it out of shared environments, and do not provide a live-capable key unless you intend to allow automated trading.
Installation could pull whatever simmer-sdk version is current, which may change behavior over time.
The skill depends on an unpinned external SDK and does not provide a source/homepage in the registry metadata. The dependency is purpose-aligned, but users must trust the package resolution and publisher provenance.
clawhub.json: "pip": ["simmer-sdk"]; metadata: "Source: unknown" and "Homepage: none".
Pin the SDK version and verify the package source before using this with sensitive credentials or live funds.