Back to skill
Skillv1.0.1
ClawScan security
Polymarket Whale Streak Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 2:33 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credential (SIMMER_API_KEY) are coherent with its stated purpose of following and copying 'hot' whale trades via the Simmer SDK; nothing in the package requests unrelated secrets or does unexpected system access.
- Guidance
- This package appears to do what it says: it reads public leaderboards and Polymarket activity, computes streaks, and uses the Simmer SDK to place trades. Before installing: 1) Run in paper mode first (default) and test behavior; 2) Ensure the SIMMER_API_KEY you provide is scoped with the least privilege necessary (e.g., separate key for paper vs live, withdrawal-disabled if possible); 3) Inspect or vet the simmer-sdk pip package (supply-chain risk) or pin a known-good version; 4) Verify you understand and accept live trading requires passing --live and that real funds will be at risk when that flag and a valid key are used; 5) If you want additional assurance, review the full trader.py (the remainder of the file) and any network endpoints used by simmer-sdk for unexpected telemetry or endpoints.
Review Dimensions
- Purpose & Capability
- okThe skill is a Polymarket whale-following trader and requires only a Simmer SDK API key (SIMMER_API_KEY) to place trades via the SimmerClient. The declared pip dependency (simmer-sdk) and the use of Polymarket/predicting.top public APIs match the stated functionality.
- Instruction Scope
- okSKILL.md describes fetching leaderboard data, computing rolling win rates, filtering wallets, and only executing real trades when an explicit --live flag is provided. The implementation follows those instructions: it calls predicting.top and the Polymarket data API for reads and uses SimmerClient for trade actions. The runtime instructions do not ask the agent to read unrelated files or secrets.
- Install Mechanism
- okThis is an instruction-only skill with a declared pip dependency (simmer-sdk) in clawhub.json. No arbitrary downloads, URL shorteners, or extract/install steps are present. Installing simmer-sdk from PyPI is a standard, traceable mechanism—users should still vet that package.
- Credentials
- okThe only required environment credential is SIMMER_API_KEY and the other SIMMER_* entries are tunables for risk parameters; these are proportionate to a trading skill. Note: the SIMMER_API_KEY grants the skill the ability to place (or simulate) trades, so its permissions and scope should be limited appropriately by the user.
- Persistence & Privilege
- okalways:false (no force-inclusion) and the skill does not request system-level persistence. It calls _client.apply_skill_config(SKILL_SLUG) when available, which is consistent with applying local Simmer runtime config and not modifying other skills or global agent settings.