ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Simmer Calibration Report

v1.0.4

Run a calibration report on any Simmer trade journal. Win rate and EV broken down by strategy, time of day, price band, and market type. Know exactly where y...

0· 232·1 current·1 all-time
byDyll@djdyll
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and documentation focus on reading a local JSONL trade journal and producing analytics — that matches the skill description. However the packaged metadata (clawhub.json) and runtime docs ask for SIMMER_API_KEY and pip-install simmer-sdk. An API key is plausible if the skill sometimes talks to Simmer's API, but the visible report logic operates purely on local journal files and does not require network access for analysis. The declared registry metadata earlier (no required env vars) contradicts the bundled clawhub.json/SKILL.md which do list SIMMER_API_KEY.
Instruction Scope
Runtime instructions are focused and explicit: install simmer-sdk, set SIMMER_API_KEY, and point to a journal file (or let it auto-detect in a workspace path). The script reads files under a workspace path (default ~/.openclaw/workspace/data/...) and may read/update a skill config via simmer_sdk.skill.load_config/update_config. The actions described are within the stated purpose, but the instructions also reference environment variables (SIMMER_API_KEY, OPENCLAW_WORKSPACE, TRADING_VENUE) beyond the calibration inputs — this is expected for integration but worth noting.
Install Mechanism
No network download/install spec in the registry; the README/SKILL.md ask users to pip install simmer-sdk (a normal package manager operation). All bundled code is included in the skill, and there are no external download URLs or extracted archives in the manifest — low install risk from the skill itself.
!
Credentials
There is a proportionality mismatch: the top-level registry metadata reported no required environment variables, yet clawhub.json and the SKILL.md/README request SIMMER_API_KEY (and the code checks for it in get_client()). For purely local journal analysis, a service API key may be unnecessary. Requiring an API key (and instructing users to export it) increases risk if the key is not actually needed by the parts of the script that run automatically. Other env vars used (OPENCLAW_WORKSPACE, TRADING_VENUE, CALIB_* tuning vars) are reasonable for locating journals and configuring behavior.
Persistence & Privilege
always is false and user-invocable is true. The clawhub.json sets a cron entry and automaton.managed true (it can be scheduled), which means the skill can be run automatically by the platform if enabled — this is expected for an analytics cron. The skill does not request system-wide configuration changes or other skills' credentials from the visible code.
What to consider before installing
This skill appears to be a straightforward analytics script for local Simmer trade journals, but there are a few things to check before installing or supplying secrets: - Inconsistency: the registry metadata claims no required env vars, but the bundled files (clawhub.json and SKILL.md) require SIMMER_API_KEY. Verify whether you actually need to provide an API key for your use case. If you only want to analyze a local journal file, you should be able to avoid setting the key. - Search the full calibration_report.py (the provided snippet is truncated) for any code paths that call get_client() or other network I/O. If the script will contact Simmer's API, decide whether you trust sending that API key and whether the calls are necessary. - If you are unsure, run the script locally in an isolated environment (container or VM) and point CALIB_JOURNAL_PATH to a copy of your journal. Do not export SIMMER_API_KEY unless you confirm the script needs it. - The skill auto-detects a workspace path (default ~/.openclaw/workspace). If you install it, set CALIB_JOURNAL_PATH explicitly to the exact file you want analyzed to avoid unexpected file access. - Review simmer-sdk (the dependency) or run in a virtualenv to limit side effects; inspect simmer_sdk.skill.load_config/update_config behavior so you understand whether it writes config files. If you want, I can scan the rest of calibration_report.py (the truncated portion) for any network calls, secrets exfiltration, or calls to get_client()/SimmerClient to improve confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk978e6w2y253czm6m8a88rhqms82xdzs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments