Back to skill
Skillv1.0.1
ClawScan security
Polymarket Whale Scanner Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 28, 2026, 2:33 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated trading purpose and only request a Simmer API key, but the registry metadata (which claims no env or deps) conflicts with the files — this inconsistency and the use of a third‑party trading SDK warrant caution before installing or providing live credentials.
- Guidance
- Before installing or giving this skill your SIMMER_API_KEY: - Confirm the registry metadata mismatch: the registry header you were shown claims no required env or deps, but the package (clawhub.json and SKILL.md) requires SIMMER_API_KEY and installs simmer-sdk. Ask the publisher to correct metadata or explain the discrepancy. - Review the simmer-sdk source (PyPI/GitHub link in SKILL.md) to ensure you trust the SDK that will be used to execute trades. - Test thoroughly in paper mode (default) and inspect logs before running with --live; real USDC trades only occur when you explicitly pass --live. - Consider rotating any API key used for testing and grant the least privilege possible; do not provide live trading credentials until you audit the SDK and are comfortable with the risk. - If you need higher assurance, request a signed provenance or a reproducible build and verify the Simmer SDK package integrity (hashes) before installation.
Review Dimensions
- Purpose & Capability
- concernThe skill's name, SKILL.md, clawhub.json, and trader.py are coherent: they fetch public Polymarket data and use a Simmer SDK client to run paper or live trades, which justifies requiring SIMMER_API_KEY and the simmer-sdk dependency. However, the top-level registry metadata you were shown earlier ("Required env vars: none", "Primary credential: none") contradicts the bundled clawhub.json and SKILL.md which both require SIMMER_API_KEY. That metadata mismatch is an incoherence that should be resolved before trusting the skill.
- Instruction Scope
- okSKILL.md and trader.py limit actions to fetching public leaderboards (predicting.top), Polymarket public data API, applying configurable risk filters, and invoking the SimmerClient for paper or explicit live trades. Instructions do not attempt to read unrelated files or extra environment secrets.
- Install Mechanism
- noteThere is no arbitrary download/install script in the bundle. clawhub.json declares a pip dependency on 'simmer-sdk' (PyPI). Installing from PyPI is a normal moderate-risk dependency (review the simmer-sdk source before providing credentials).
- Credentials
- okThe only required secret is SIMMER_API_KEY, used to authorize trading via the Simmer SDK — this is proportionate to a trading skill. The skill also exposes many SIMMER_ tunables as env vars, which is expected for a trading configuration. No unrelated credentials or broad system secrets are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and autostart is false. It does not request elevated platform privileges or modify other skills. The agent may invoke it autonomously by default (normal for skills) but that is not combined with other concerning privileges.