ClawHub
Back to skill
v1.0.0

Polymarket Edge Liquidity

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:11 AM.

Analysis

The skill is coherent and not malicious, but it deserves review because it can use a Simmer API key to run an automated trading strategy and place live trades when enabled.

GuidanceReview this before installing if you might enable live mode. Keep it in dry-run until you verify the venue is the intended virtual Simmer venue, set conservative trade limits, and use a restricted API key where possible.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
edge_liquidity.py
parser.add_argument("--live", action="store_true", help="Execute trades") ... result = client.trade(market_id, side, trade_amount, source=TRADE_SOURCE, skill_slug=SKILL_SLUG, reasoning=reasoning)

Live mode directly invokes the trading API. Although this is the stated purpose and dry-run is the default, the artifact does not show per-trade approval, a daily loss/exposure cap, or reversibility once --live is used.

User impactIf run in live mode, the skill can place trades using the connected account based on its automated filters.
RecommendationOnly enable --live after confirming the venue, using a restricted API key if available, setting a small TRADE_AMOUNT, and adding explicit trade/exposure limits.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
cron: "*/20 * * * *" ... automaton:\n      managed: true\n      entrypoint: "edge_liquidity.py"

The skill declares a managed scheduled automaton that runs every 20 minutes. This is disclosed and fits the market-scanning purpose, but it is persistent background behavior.

User impactThe skill may run on a schedule rather than only when manually invoked.
RecommendationConfirm whether scheduled runs are desired, and ensure scheduled execution remains dry-run unless you intentionally configure live trading.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
requires:\n      pip: ["simmer-sdk"]

The skill depends on an unpinned external pip package. This is expected for a Simmer integration, but the artifact does not lock a version.

User impactFuture installs may resolve a different simmer-sdk version than the author tested.
RecommendationPin and review the simmer-sdk version before enabling live trading.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
edge_liquidity.py
SimmerClient(api_key=os.environ["SIMMER_API_KEY"], venue=os.getenv("TRADING_VENUE", "simmer"))

The skill requires and uses a Simmer API key to access the trading service. This is expected for the purpose, and the artifacts do not show the key being logged or sent elsewhere.

User impactInstalling and using the skill requires granting it access to a Simmer account credential.
RecommendationUse the least-privileged Simmer API key available and rotate/revoke it if you stop using the skill.