ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Fast Loop Improved

v0.1.0

Trade Polymarket BTC/ETH/SOL 5-minute and 15-minute fast markets using multi-signal CEX momentum. Adds funding rate confirmation, order book imbalance, time-...

0· 559·1 current·1 all-time
by@oryselias
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to trade Polymarket fast markets and asks only for SIMMER_API_KEY (used by the simmer-sdk); that is plausible if the simmer service brokers Polymarket trades. It also relies on public Binance market data (candles, funding, L2 book) which typically don't require API keys. However, the SKILL metadata declares an entrypoint (fastloop_improved.py) and a pip dependency (simmer-sdk) but the skill bundle contains no code files — a mismatch between claimed runtime and what is bundled.
!
Instruction Scope
The instructions tell the agent/user to pip install simmer-sdk, export SIMMER_API_KEY, run python fastloop_improved.py (paper by default, --live for real trades), and read/write a local ledger (fastloop_ledger.json). They also provide cron examples to run every 5 minutes. The instructions remain within the trading domain, but they assume a local Python script that is not included, and they direct filesystem writes and network access to external services for trading — including the possibility of live (real-money) trades.
Install Mechanism
There is no install spec from the registry and no files are written by the skill itself. The SKILL.md recommends 'pip install simmer-sdk' which is a normal package install. Because the skill is instruction-only, there is low direct install risk from the registry, but running the recommended pip install and executing external scripts (not provided) introduces runtime risk under user control.
Credentials
Only SIMMER_API_KEY is required which is proportionate to a brokered trading skill. However, the evaluator cannot confirm what permissions that key grants (trading only vs. transfers/withdrawals/config changes). The SKILL.md does not request or document any Polymarket-specific keys or Binance keys — plausible if simmer-sdk abstracts access — but the lack of explicit permission guidance is a concern.
Persistence & Privilege
The skill is not marked 'always:true' and defaults to requiring invocation. Metadata shows an automaton entrypoint (managed=true) which implies it can be scheduled/managed by the platform if the entrypoint exists. Combined with the ability to run live trades via SIMMER_API_KEY, autonomous invocation or cron usage increases the operational risk. The bundle itself does not persist additional system-wide configurations.
What to consider before installing
Do not install or run this skill until you verify provenance and code. Key points to check before use: - The skill package contains only instructions but references fastloop_improved.py as the runtime entrypoint; ask the publisher where that script comes from. Running an unknown script is risky. - Verify exactly what permissions SIMMER_API_KEY grants in simmer-sdk (trading-only vs withdrawals/config). Use a least-privilege test key if possible. - Start in paper mode only and run many automated paper trades (as the doc suggests) before any --live runs. Monitor outcomes and logs. - The skill writes fastloop_ledger.json locally — ensure you’re comfortable with trade history being stored in that file and its location/permissions. - Be cautious about scheduling autonomous runs (cron/automaton). Autonomous trading combined with a live-capable API key can cause financial loss if misconfigured or malicious. - Confirm the simmer-sdk package on PyPI is the official package and review its docs and permissions. Consider running the skill inside an isolated environment or VM and inspect any code before granting keys. If you cannot verify the script origin or the key permissions, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e1ghqqshwy8x4zb7x2pqh0581sjjq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvSIMMER_API_KEY

Comments