ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Youtube Channel Trader

v1.0.4

Trades Polymarket YouTube channel markets (subscriber milestones, view-count races). Requires SIMMER_API_KEY for trade execution via simmer-sdk. Paper tradin...

0· 106·0 current·0 all-time
by@diagnostikon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to trade Polymarket YouTube-channel markets and the included trader.py and SKILL.md clearly require a SIMMER_API_KEY and the simmer-sdk to execute trades — this is appropriate for a trading skill. However, the registry-level metadata provided earlier lists no required env vars or primary credential, which contradicts clawhub.json and SKILL.md. That mismatch is unexpected and reduces trust in the packaging/metadata.
Instruction Scope
SKILL.md and trader.py limit behavior to market discovery, signal calculation, and trade execution via simmer-sdk. The skill defaults to paper trading and only performs live trades with an explicit --live flag. Instructions do mention optionally wiring in YouTube Data API v3 (which would add further credentials), but nothing in the provided files instructs the agent to read unrelated system files or exfiltrate arbitrary data.
Install Mechanism
There is no explicit install spec in the registry summary, but clawhub.json and SKILL.md declare a pip dependency 'simmer-sdk'. Because the skill includes executable Python (trader.py) that imports simmer_sdk, the environment must install that package for the skill to function. The absence of a formal install section in the registry combined with pip requirements in the files is an inconsistency to resolve before installing.
!
Credentials
The only runtime secret the skill needs is SIMMER_API_KEY (used to authenticate trade execution), which is proportionate for a trading bot. However: (1) the registry metadata reported 'Required env vars: none' while clawhub.json and SKILL.md require SIMMER_API_KEY and several SIMMER_* tunables, and (2) providing this API key enables the skill to place real financial trades if --live is used. Ensure you understand the permissions tied to the key and only provide it if you intend to permit trading.
Persistence & Privilege
The skill is not set to always:true and autostart is false. clawhub.json marks the automaton as managed with entrypoint trader.py, meaning the skill contains runnable code that the agent can execute when invoked or scheduled, but it does not force-run on every agent invocation. This is expected for a trading automaton but you should confirm autostart/cron settings remain disabled unless you want scheduled runs.
What to consider before installing
This package contains real executable trading code (trader.py) and claims to use a SIMMER_API_KEY and the simmer-sdk to place orders. Before installing: (1) don't trust the registry metadata that says no env vars are required — clawhub.json and SKILL.md do require SIMMER_API_KEY and other SIMMER_* tunables; (2) if you do not want live trading, never supply a live SIMMER_API_KEY (use paper/sim credentials or omit the key); (3) verify what permissions the SIMMER_API_KEY grants and use a limited-scope key you can rotate; (4) confirm how the environment will install the 'simmer-sdk' pip package (run in an isolated sandbox first); (5) audit the full trader.py (network endpoints, logging, error handling) for any unexpected remote calls or credential transmission; and (6) keep autostart/cron disabled unless you explicitly want scheduled autonomous trades. The main red flag is inconsistent metadata (registry vs. included files) — ask the publisher to clarify and fix the manifest before trusting this skill with real funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk97660jg93gwcmxchw2pz096bn8469fw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments