ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Simmer Signal Service

v1.0.1

Professional Polymarket trading signals powered by Simmer and Binance. Get BUY/SELL/HOLD recommendations with confidence scores for BTC, ETH, SOL fast market...

0· 301·0 current·0 all-time
byqukuaiqiji@nickqi688
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's code and SKILL.md match the described purpose: it fetches Binance prices, calls Simmer for opportunities, and uses SkillPay for billing. Requested API keys (SIMMER_API_KEY and SKILLPAY_API_KEY) are appropriate for those functions. Minor mismatches exist (different SkillPay base URLs used in the code and metadata), but overall the requested capabilities align with the declared purpose.
Instruction Scope
Runtime instructions and the code are consistent in guiding the agent to fetch market data and bill via SkillPay; they do not attempt to read unrelated system files. However, SKILL.md instructs users to set USER_ID (wallet address) and the CLI requires a --user-id or USER_ID env var at runtime, yet USER_ID is not declared in the registry's required env list — this is an actionable inconsistency. The docs also promote automated cron runs every 5 minutes (high-frequency billing), which is central to its monetization; users should be aware this will generate repeated network/billing calls.
Install Mechanism
No install spec is present (instruction-only with an included script). This is the lower-risk option since nothing arbitrary is downloaded during install. The skill depends on 'requests' per requirements.txt, which is reasonable for its network calls.
!
Credentials
The two required secrets (SKILLPAY_API_KEY and SIMMER_API_KEY) are relevant to billing and data access and therefore justified. Concerns: (1) USER_ID is required at runtime but is not declared as a required env var in the registry metadata; (2) there are inconsistencies in the documented and coded pricing/charging amounts (see below), which affect how much access to billing credentials actually means in practice; (3) the code accepts alternate env names (SKILL_BILLING_API_KEY, SKILLPAY_SKILL_ID, SKILL_ID) which increases the set of environment variables that could be sensitive. Any API key that permits billing should be treated as highly sensitive.
Persistence & Privilege
The skill does not request always: true, does not modify other skills, and does not ask for system-level config paths. Autonomous invocation is allowed by default (platform behavior) but the skill itself does not request elevated persistence beyond normal operation.
Scan Findings in Context
[no_findings] expected: No regex-based pre-scan findings were detected. The code does perform HTTP requests to external services (SkillPay, Simmer, Binance), which is expected for this skill.
What to consider before installing
What to check before installing/using: 1) Billing mismatch: SKILL.md and comments mention 0.001 USDT per call, but the script charges 0.01 USDT in charge_user() and prints charged amounts of 0.01 — confirm the actual charge rate with the author or in the code before giving any SkillPay API key or funding an account. 2) API keys: SKILLPAY_API_KEY grants billing actions — treat it as highly sensitive; only provide it after verifying the SkillPay endpoint and skill_id. 3) USER_ID is required at runtime (or via --user-id) but is not listed in the registry's required env vars — be careful to supply the correct wallet/user id and test with demo_ or test_user_with_balance to avoid unexpected charges. 4) Test in demo/sandbox mode first: use a demo_ user or run in an environment where network calls are allowed but real charges are prevented. 5) Cron automation: the README encourages running every 5 minutes; that will multiply charges — set a rate limit or run manually until you confirm pricing. 6) If you need higher assurance: review the full signal_service.py (already included) to confirm the billing endpoints, amounts, and that no unexpected outbound endpoints exist. These inconsistencies look like sloppy engineering rather than clear malicious intent, but they materially increase risk of unexpected billing, so proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk97an26be2fnj1s4xj2s18tna5828dpj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📡 Clawdis
EnvSKILLPAY_API_KEY, SIMMER_API_KEY

Comments