Manual Trade Placement
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: polymarket-manual-trade Version: 1.1.0 The skill provides legitimate functionality for placing manual trades on Polymarket via the Simmer API. The code in `manual_trade.py` handles market resolution, price discovery from the Polymarket CLOB, and order execution using the `simmer-sdk`. It requires sensitive environment variables (`SIMMER_API_KEY` and `WALLET_PRIVATE_KEY`) which are necessary for its stated purpose of on-chain trading. The communication is restricted to expected endpoints (api.simmer.markets and clob.polymarket.com), and there is no evidence of data exfiltration, malicious execution, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unintended invocation could spend funds, lock funds, or cancel live orders.
The code can cancel market orders or place a real trade by default once invoked; the only preview path is the optional --dry-run flag, and no mandatory confirmation or spending limit is shown.
if args.cancel: ... result = client.cancel_market_orders(market_id) ... if args.dry_run: ... return ... result = client.trade(market_id=market_id, side=side.lower(), amount=args.amount, price=limit_price, order_type=args.order, ... allow_rebuy=True)
Require an explicit user confirmation immediately before every live trade or cancellation, enforce per-trade and daily spend limits, and make dry-run the default.
An ambiguous or mismatched URL import could lead to a real trade on the wrong market.
When importing a Polymarket URL, the resolver silently falls back to the first returned market if it cannot match the URL slug, and that resolved market is later used for order placement.
if not matched:
matched = markets[0]Abort on ambiguous imports and require the user to confirm the exact market question, ID, side, amount, and price before any live order.
If the key is misused or exposed by the runtime or dependencies, funds or trading authority could be at risk.
The credential requirement is disclosed and purpose-aligned, but a wallet private key is a high-impact credential that can authorize real financial actions.
`SIMMER_API_KEY` — your Simmer API key `WALLET_PRIVATE_KEY` — your Polymarket wallet private key (for on-chain signing)
Use a dedicated wallet with minimal funds and limited approvals, rotate keys if exposed, and avoid providing a primary wallet private key.
A changed or compromised dependency could affect how trades are submitted or how credentials are handled.
The financial trading workflow relies on an external SDK that is not pinned to an exact version in the manifest, while sensitive credentials are available in the same runtime.
"requires": {
"env": ["SIMMER_API_KEY", "WALLET_PRIVATE_KEY"],
"pip": ["simmer-sdk"]
}Pin the SDK to a reviewed version, verify its provenance, and re-review dependency updates before using the skill with real funds.