Trading
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed real-money Polymarket trading bot, but it can run live trades automatically on a schedule and its package provenance is unclear, so it needs careful review before use.
Before installing, verify the publisher/source and run only in dry-run mode until you understand the strategy. If you enable live trading, use a dedicated low-balance account/key, set strict position and loss limits, monitor cron or heartbeat jobs, and remove the schedule when you no longer want automated trades.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured incorrectly or if the signal performs poorly, the user could lose real funds through repeated automated trades.
The skill clearly supports real-money trading and provides a quiet one-minute live loop example. That is purpose-aligned, but high-impact because live trades can be placed repeatedly without per-trade confirmation or visible daily loss limits.
“All trades execute on Polymarket with real USDC. Use `--live` for real trades” and “* * * * * cd /path/to/skill && python fastloop_trader.py --live --quiet”
Use dry-run first, keep funding/API permissions minimal, avoid live cron until tested, and add explicit cumulative loss limits, position caps, monitoring, and a kill switch.
A configured cron or heartbeat can keep making live trading decisions even when the user is not actively watching.
The background scheduling is disclosed and user-directed, but it creates persistent autonomous trading behavior that continues after setup.
“The script runs one cycle — your bot drives the loop. Set up a cron job or heartbeat” and “Via OpenClaw heartbeat: Add to your HEARTBEAT.md: Run: cd /path/to/fast market && python fastloop_trader.py --live --quiet”
Only add cron/heartbeat entries intentionally, document where they are installed, monitor executions, and remove or disable them when not actively desired.
Anyone or anything with access to the API key may be able to act through the user's Simmer/Polymarket trading setup.
The skill uses a bearer API key to call Simmer, which is expected for trade execution, but the credential is financially sensitive and the API base can be environment-selected.
SIMMER_BASE = os.environ.get("SIMMER_API_BASE", "https://api.simmer.markets") ... headers["Authorization"] = f"Bearer {api_key}"Use a dedicated limited-scope key if available, keep only small funds accessible, verify SIMMER_API_BASE is not overridden unexpectedly, and rotate the key if exposed.
The user may have less assurance that the reviewed package is from the expected publisher or version before granting trading access.
The registry identity and bundled metadata do not line up, and there is no source/homepage provenance to independently verify the package. That matters more because the skill can execute live financial trades.
Registry: “Source: unknown”, “Homepage: none”, “Slug: poly”, “Version: 1.0.0”; _meta.json: “slug”: “polymarket-fast-loop”, “version”: “1.0.6”
Verify the publisher and source out of band, prefer a signed or public repository, and do not provide trading credentials until the package identity/version is confirmed.