Back to skill
Skillv1.0.1
ClawScan security
Polymarket Whale Exit Fade Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 2:33 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and declared requirements are coherent with its stated purpose (monitoring Polymarket whale activity and paper/live trading via the Simmer SDK); it only requests the expected SIMMER_API_KEY and talks to the described public APIs.
- Guidance
- This skill appears internally consistent: it needs only SIMMER_API_KEY and the simmer-sdk, calls predicting.top and Polymarket's public data API, and defaults to paper trading unless you pass --live. Before installing, verify you trust the simmer-sdk package (pip package review), ensure your SIMMER_API_KEY has appropriate permissions and limits, and run the skill in paper mode first to validate behavior. If you plan to enable live trading, review the full trader.py (including the truncated portion) to confirm there are no unexpected network endpoints or logic that could place trades you don't intend. Finally, be aware the skill performs network requests to external services (leaderboard, Polymarket, and Simmer) and will share market/trade metadata with those services as part of normal operation.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, clawhub.json, and trader.py all align: the skill queries predicting.top and data-api.polymarket.com and uses simmer-sdk with SIMMER_API_KEY to execute paper or live trades. Requested resources (SIMMER_API_KEY, simmer-sdk) are expected for this use case.
- Instruction Scope
- okRuntime instructions and the implementation limit activity to fetching leaderboard and wallet activity, analyzing sells, and placing trades via SimmerClient. There are no instructions to read unrelated local files, inspect other environment variables, or exfiltrate arbitrary data to unexpected endpoints.
- Install Mechanism
- okThis is instruction-first with a declared pip dependency on simmer-sdk (no install script or arbitrary downloads). That dependency is proportionate to the stated functionality; no extract-from-URL or personal server downloads were found.
- Credentials
- okOnly SIMMER_API_KEY is declared/used. The code reads that API key to instantiate SimmerClient; no unrelated secrets (AWS keys, SSH keys, etc.) are requested. The required environment variables are proportional to a trading SDK client.
- Persistence & Privilege
- okThe skill is not always-on (always:false), autostart is false, and autonomous invocation is the platform default. The skill's automaton entrypoint is the included trader.py; it does not attempt to modify other skills or system-wide settings.