Skillv1.0.0

ClawScan security

Polymarket Weather Bucket Thresholds · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 6, 2026, 1:38 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested credential (SIMMER_API_KEY) are coherent with its stated purpose of running a Simmer-based trading strategy; nothing requests unrelated secrets or external endpoints beyond simmer.markets.
Guidance: This skill appears to do what it says: it queries Simmer and will place simulated or real trades if started with --live. Before installing, confirm the simmer-sdk package source (the manifest requests it) or remove that dependency if unnecessary. Limit the SIMMER_API_KEY's permissions if possible (use a key scoped to simulation or a low-privilege test account), test extensively in dry-run mode, and only enable --live after you are comfortable with behavior and rate limits. Also be aware the cron runs every 2 minutes by default—ensure you want that frequency and that your API quota allows it.
Findings: [no_findings] expected: Static pre-scan reported no injection signals. The only minor discrepancy is an unused pip dependency (simmer-sdk) declared in clawhub.json while trade.py uses requests directly; this is not flagged by the scanner but is noted here.

Purpose & Capability: okName/description describe a Simmer-based Polymarket weather trading strategy; the code calls Simmer API endpoints (/markets, /context, /positions, /trade) and enforces the described entry/exit thresholds and scheduling. Required credential (SIMMER_API_KEY) matches the service used.
Instruction Scope: okSKILL.md instructions are narrow and match the code: dry-run by default, use --live to place trades, run every 2 minutes, strict warnings enforced. The runtime code does not read unrelated files or environment variables and only communicates with api.simmer.markets.
Install Mechanism: noteclawhub.json requests pip install of 'simmer-sdk' which is a reasonable dependency for a Simmer integration, but trade.py uses the requests library and does not import simmer-sdk. Installing simmer-sdk is not harmful per se but appears unnecessary or leftover—verify the package source before install.
Credentials: okOnly SIMMER_API_KEY is required and the code explicitly reads that env var. No unrelated credentials, secret patterns, or config paths are requested or accessed.
Persistence & Privilege: okalways is false and the skill is scheduled (cron) to run every 2 minutes per manifest; autonomous invocation is allowed (platform default) but not combined with broad credentials or unusual privileges. The skill does not modify other skills or system-wide settings.