Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Polymarket Market Importer
v1.0.3Auto-discover and import Polymarket markets matching your keywords, tags, and volume criteria. Runs on a schedule so you never miss a new market worth tradin...
⭐ 0· 221·0 current·0 all-time
byDyll@djdyll
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code, README, and SKILL.md all implement a market-importer that uses the simmer-sdk and an API key (SIMMER_API_KEY) to search and import Polymarket markets into Simmer — this is coherent with the skill's described purpose. However, the top-level registry summary incorrectly lists "Required env vars: none" and "Install specifications: No install spec", while clawhub.json and SKILL.md require the SIMMER_API_KEY and the pip package simmer-sdk. That metadata mismatch is inconsistent and should be resolved.
Instruction Scope
Runtime instructions are focused: install simmer-sdk, set SIMMER_API_KEY, configure filters, run dry-run or --live. The code only reads the declared API key (plus an optional TRADING_VENUE) and persists seen market IDs locally. There are no instructions to read unrelated system files, secrets, or to send data to unexpected endpoints beyond the Simmer SDK.
Install Mechanism
There is no installer in the registry header (the skill was listed as instruction-only), but clawhub.json and SKILL.md require pip installing simmer-sdk. That mismatch is an incoherence in the packaging metadata. The pip dependency itself (simmer-sdk) is proportionate to the task, but you should inspect the simmer-sdk package (source/ownership) before installing.
Credentials
The code legitimately requires SIMMER_API_KEY to authenticate to Simmer; that is proportionate to the skill's purpose. However, the registry-level metadata incorrectly omitted this requirement. Confirming the skill's declared required envs (SIMMER_API_KEY) matches the registry is important to avoid surprises. No other unrelated secrets are requested.
Persistence & Privilege
The skill persists only a local file (imported_markets.json) to track seen markets and runs on a scheduled cron defined in clawhub.json. It does not request always:true, system-wide config changes, or other skills' credentials. Running on a schedule (cron) is expected for this use case.
What to consider before installing
This skill mostly does what it says: it searches Polymarket via the Simmer SDK and imports matches into your Simmer account. Before installing: 1) Note the registry metadata mismatch — the skill needs SIMMER_API_KEY and the simmer-sdk even though the top-level summary omitted them. 2) Verify the simmer-sdk package (PyPI/project repo) and its owner to ensure it’s trustworthy and review its permissions/behavior. 3) Treat the provided SIMMER_API_KEY like any API secret — use a key with only the minimal permissions required, consider rotating it, and avoid sharing it broadly. 4) The skill writes imported_markets.json into its directory; if you run it in a shared environment, consider where that file will live. 5) The visible source appears consistent with the stated purpose, but there is a truncated snippet in the provided file listing (report['skip_reason'] = "no_markets …[truncated]") — ask the author for the complete source or inspect the packaged market_importer.py to ensure there are no syntax errors or hidden behavior. If you cannot verify the upstream source/author or the simmer-sdk, exercise caution (run in a sandbox or review the SDK source) before giving it access to your API key.Like a lobster shell, security has layers — review code before you run it.
latestvk9772q9096f3tfdxbzgyjny02982xh2m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.