Skillv0.0.3

ClawScan security

Polymarket Twitter Cross Contagion Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:32 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, declared dependencies, and requested credentials line up with a trading integration that uses the Simmer SDK and a SIMMER_API_KEY; nothing in the bundle suggests covert behavior or unrelated access.
Guidance: This skill appears coherent for automated trading via the Simmer SDK. Before installing: 1) Verify the top-line registry metadata mismatch — the files require SIMMER_API_KEY even though the initial report showed none. 2) Review the simmer-sdk PyPI/GitHub source to ensure the SDK is trustworthy. 3) Keep only a paper-mode API key or a key restricted to non-live actions when testing; do not place a live-capable key in an environment where automated code could be run until you audit the code and SDK. 4) Confirm autostart/cron settings remain disabled if you don't want it to run automatically. 5) If you plan to run live, double-check tunables (max position, min trade, max open positions) and consider running a code audit or limited-capital live test first.

Review Dimensions

Purpose & Capability: okName/description describe a Polymarket trading strategy and the package requires an API key and simmer-sdk — exactly what a trading skill needs. The declared contagion logic and tunables are consistent with a market-making/trading bot.
Instruction Scope: okSKILL.md and trader.py confine runtime actions to discovering markets, computing signals, and placing trades via SimmerClient. There are no instructions to read arbitrary local files, scan unrelated services, or exfiltrate data to unknown endpoints. The skill warns that --live enables real trading.
Install Mechanism: noteThis is instruction-only (no installer script), but clawhub.json and SKILL.md declare a pip dependency on 'simmer-sdk'. That is a reasonable, expected dependency for a Simmer integration — review the PyPI/GitHub package before supplying live credentials.
Credentials: noteRequired environment variables are SIMMER_API_KEY and several SIMMER_* tunables used to cap risk; these are proportionate for a trading skill. Note: the skill bundle files (SKILL.md/clawhub.json) do require SIMMER_API_KEY, but the summary at the top of the report listed 'Required env vars: none' — that's an inconsistency you should resolve before installing.
Persistence & Privilege: okalways:false and autostart:false; the automaton entrypoint exists but it will not start automatically. The skill does not request elevated or system-wide privileges. The agent can invoke it autonomously (default), which is normal for skills; combine that with caution when providing live trading credentials.