Polymarket Btc Midcandle
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed crypto trading bot, but it can run recurring real-money trades and has broad market selection plus strong profit claims that users should review carefully.
Do not treat this as a set-and-forget money-making bot. If you install it, verify the code and dependency, run paper mode first, use a small limited account/key, confirm the exact Polymarket market before live trades, and only enable the cron job if you understand how to stop it and can absorb losses.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
In live or cron mode, a bad market match could place real-money trades in an unintended Polymarket market.
The bot broadly searches active BTC markets and returns the first match, then has code to place a live trade. The provided snippet does not show strict validation of the exact intended 15-minute BTC Up/Down contract before spending funds.
params={"status": "active", "q": "BTC", "limit": 20, "agent_id": POLY_AGENT_ID} ... candidates = [m for m in markets if "15" in m.get("question", "")] ... return candidates[0] ... get_client().trade(market_id=market_id, side=side, amount=amount, ...)Require exact market ID, event type, expiry time, and outcome validation before every live order; display the selected market and add per-run and daily loss limits.
Users may over-trust the bot and risk funds based on promotional win-rate claims rather than independently verified performance.
The skill makes strong, unsupported performance and profitability claims while asking users to enable automated real-money trading.
"75%+ win rate. Real money. 400+ trades." ... "highest-performing BTC strategy" ... "profitable over months of live trading. Now you can run it yourself."
Treat the performance claims as unverified; use paper mode, small sizes, independent logs, and clear loss limits before considering live trading.
If the API key is broad or exposed, someone or something with access to it could potentially act on the connected trading account.
The skill requires a Simmer API key, which is expected for the stated trading integration but is sensitive because it enables account/API access for trading operations.
"requires": { "env": ["SIMMER_API_KEY"], "pip": ["simmer-sdk"] }Use the least-privileged key available, set small account and order limits, keep the key out of logs, and revoke it if you stop using the bot.
Once enabled, the bot may continue placing live trades on schedule until the cron job is removed or disabled.
The skill recommends a recurring cron job that runs in live mode every five minutes. This is disclosed and purpose-aligned, but it is persistent autonomous financial activity.
3,8,13,18,23,28,33,38,43,48,53,58 * * * * cd /path/to/skill && python btc_midcandle.py --live >> /var/log/btc-midcandle.log 2>&1
Only enable cron after paper testing; monitor logs and positions, document how to stop it, and use conservative trade and loss limits.
A future dependency change could alter trading behavior or introduce defects outside the reviewed artifact.
The skill depends on an unpinned external Python package for the trading integration. This is expected for the purpose, but the exact dependency version is not fixed in the artifact.
"pip": ["simmer-sdk"]
Pin and verify dependency versions before live trading, and install from a trusted package source.