Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Simmer Market Maker
v1.3.0Places GTC limit orders on both sides (bid/ask) of liquid Polymarket markets. Finds active markets with >$10k 24h volume, mid-range prices, and ample time to...
⭐ 0· 79·0 current·0 all-time
by@prysm96
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description, SKILL.md, clawhub.json, and market_maker.py all describe a market-maker using the Simmer SDK and Polymarket CLOB — requiring a SIMMER_API_KEY and the simmer-sdk Python package is proportionate. However, the registry summary at the top stated 'Required env vars: none' and the skill version in the registry (1.3.0) differs from SKILL.md and _meta.json (1.2.0). This packaging/metadata mismatch is an incoherence that could indicate sloppy publishing or an update that wasn't fully propagated.
Instruction Scope
SKILL.md and market_maker.py stick to market discovery, midpoint fetching, order placement/cancellation, and local config management. The code calls Polymarket CLOB midpoint endpoints and the Simmer API, cancels and places GTC orders, and can write/read local config via simmer_sdk.skill.load_config/update_config. It does not attempt to read arbitrary user files or transmit unrelated data. Note: it will cancel orders and place live trades when run with --live and a valid API key — this is expected but high-impact.
Install Mechanism
There is no installer script in the package (instruction-only install) but clawhub.json declares a pip dependency 'simmer-sdk'. Requiring a PyPI package is reasonable for this purpose, but pip-installed packages are an external trust decision — review simmer-sdk's provenance before installing. No arbitrary downloads or archive extraction are present in the skill files.
Credentials
The skill legitimately requires SIMMER_API_KEY (declared in SKILL.md and clawhub.json) and optionally TRADING_VENUE and a set of tuning env vars. However, the top-level registry summary incorrectly listed no required env vars, which is a packaging inconsistency. Requesting an API key is proportionate for a trading skill, but an API key is a sensitive credential — the skill will use it to place/cancel orders and view portfolio data.
Persistence & Privilege
The skill is not marked always:true and autostart is false. It is an automaton-managed entrypoint (managed: true) but that appears consistent with a runnable trading tool. It uses load_config/update_config which will write its own config files (normal for a tool), but it does not request system-wide or other-skills' configuration access.
What to consider before installing
This skill is plausibly a market-maker and the code aligns with its stated purpose, but exercise caution before running it with a real API key: 1) The package metadata in the registry is inconsistent (missing required env, version mismatch) — ask the publisher or check an authoritative source. 2) Review the simmer-sdk package (source, publisher, permissions) before pip installing; consider installing into an isolated venv. 3) Test extensively in paper mode (TRADING_VENUE=sim or --dry-run) and don't run --live until satisfied. 4) Consider creating a scoped API key (if supported) with limited permissions and rotate it afterwards. 5) Inspect where the skill stores its config (simmer_sdk.skill.get_config_path) to ensure it doesn't expose secrets on disk. 6) If you lack confidence in the author, have a developer review the simmer-sdk and market_maker.py code paths that place/cancel orders (they use a private ._request method in places). These inconsistencies make the package suspicious but not demonstrably malicious; proceed only after the checks above.Like a lobster shell, security has layers — review code before you run it.
latestvk97cprpbwxa106dyaje3705y6s840acx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.