Polymarket Btc Midcandle
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: polymarket-btc-midcandle Version: 1.1.1 The skill is a functional trading bot designed to execute momentum-based trades on Polymarket BTC markets via the Simmer SDK. It fetches market data from Binance (api.binance.com) and manages trades through the Simmer API, with optional Discord notifications. While the code contains minor bugs (e.g., references to undefined functions like 'record_trade_outcome' and missing config keys like 'max_consecutive_losses' in btc_midcandle.py), there is no evidence of malicious intent, data exfiltration, or unauthorized system access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
In live or cron mode, a bad market match could place real-money trades in an unintended Polymarket market.
The bot broadly searches active BTC markets and returns the first match, then has code to place a live trade. The provided snippet does not show strict validation of the exact intended 15-minute BTC Up/Down contract before spending funds.
params={"status": "active", "q": "BTC", "limit": 20, "agent_id": POLY_AGENT_ID} ... candidates = [m for m in markets if "15" in m.get("question", "")] ... return candidates[0] ... get_client().trade(market_id=market_id, side=side, amount=amount, ...)Require exact market ID, event type, expiry time, and outcome validation before every live order; display the selected market and add per-run and daily loss limits.
Users may over-trust the bot and risk funds based on promotional win-rate claims rather than independently verified performance.
The skill makes strong, unsupported performance and profitability claims while asking users to enable automated real-money trading.
"75%+ win rate. Real money. 400+ trades." ... "highest-performing BTC strategy" ... "profitable over months of live trading. Now you can run it yourself."
Treat the performance claims as unverified; use paper mode, small sizes, independent logs, and clear loss limits before considering live trading.
If the API key is broad or exposed, someone or something with access to it could potentially act on the connected trading account.
The skill requires a Simmer API key, which is expected for the stated trading integration but is sensitive because it enables account/API access for trading operations.
"requires": { "env": ["SIMMER_API_KEY"], "pip": ["simmer-sdk"] }Use the least-privileged key available, set small account and order limits, keep the key out of logs, and revoke it if you stop using the bot.
Once enabled, the bot may continue placing live trades on schedule until the cron job is removed or disabled.
The skill recommends a recurring cron job that runs in live mode every five minutes. This is disclosed and purpose-aligned, but it is persistent autonomous financial activity.
3,8,13,18,23,28,33,38,43,48,53,58 * * * * cd /path/to/skill && python btc_midcandle.py --live >> /var/log/btc-midcandle.log 2>&1
Only enable cron after paper testing; monitor logs and positions, document how to stop it, and use conservative trade and loss limits.
A future dependency change could alter trading behavior or introduce defects outside the reviewed artifact.
The skill depends on an unpinned external Python package for the trading integration. This is expected for the purpose, but the exact dependency version is not fixed in the artifact.
"pip": ["simmer-sdk"]
Pin and verify dependency versions before live trading, and install from a trusted package source.