ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Simmer Resolution Tracker

v1.1.0

Monitors your Simmer positions for resolutions, logs wins/losses to your trade journal, and automatically redeems winning positions on-chain. Built for Simme...

0· 445·1 current·1 all-time
byDyll@djdyll
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (monitor resolutions, log PnL, post Discord alerts, redeem on-chain) match the code and metadata. The skill requires simmer-sdk and the SIMMER_API_KEY and WALLET_PRIVATE_KEY which are expected for polling the Simmer API and performing on‑chain redemptions.
Instruction Scope
SKILL.md and README instruct the agent to poll Simmer, match trades in a local trade_journal.jsonl, post Discord webhooks, and redeem via the simmer-sdk — which the code implements. The code also loads a local .env or ~/.env if present (development convenience) which will cause the skill to read additional environment variables from disk; this is outside the declared config paths and could cause accidental access to other secrets stored there.
Install Mechanism
No remote downloads or obscure installers. The skill is instruction-only with a pip dependency (simmer-sdk) declared in clawhub.json and explained in SKILL.md; that is proportionate and expected for Python-based integration with Simmer.
Credentials
Requested credentials (SIMMER_API_KEY and WALLET_PRIVATE_KEY) are sensitive but justified by the functionality (API access and signing/redemption). The skill treats WALLET_PRIVATE_KEY as required; if you don't want automatic redemptions you can set POLY_MODE=sim. Be aware WALLET_PRIVATE_KEY gives on‑chain signing capability and should be protected (avoid long-lived plaintext keys in shared environments).
Persistence & Privilege
The skill is not always:true and autostart is false. clawhub.json schedules a cron run (*/5) and marks the automaton entrypoint; this matches the SKILL.md 'runs every 5 minutes' claim. The skill writes/reads files only in its DATA_DIR (defaults to ./data/live or ./data/sim), not modifying other skills or system-wide agent settings.
Assessment
This skill appears to do what it says, but it requires your Polymarket wallet private key (WALLET_PRIVATE_KEY) which can be used to sign transactions — treat it as highly sensitive. Before installing: (1) audit the simmer-sdk package and consider pinning a known-good version; (2) prefer using POLY_MODE=sim for testing to avoid exposing or using your private key; (3) do not keep other unrelated secrets in .env or ~/.env in the same environment because the script loads those files automatically; (4) limit filesystem permissions on the DATA_DIR (trade_journal.jsonl and related files) and ensure your runtime environment is trusted; (5) if possible, use a more secure signing approach (hardware wallet or ephemeral key) rather than a long-lived plaintext private key in environment variables.

Like a lobster shell, security has layers — review code before you run it.

latestvk9761spyet3rna0hy841d44qy582xwh2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments