Simmer Market Maker

WarnAudited by ClawScan on May 10, 2026.

Overview

This skill mostly matches its market-making purpose, but live mode can use your trading API key to cancel all open orders and place persistent financial orders, so it needs careful review before use.

Use this only if you understand the financial risk. Start with dry run or TRADING_VENUE=sim, avoid --live until you have reviewed the order-cancellation behavior, and consider using a limited account or restricted API key if available. After any live run, check and manage remaining GTC orders manually.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI02: Tool Misuse and Exploitation

What this means

Running live mode could cancel unrelated open Polymarket/Simmer orders in the user's account, which may disrupt existing trading strategies or financial exposure.

Why it was flagged

In live mode, the code issues an unfiltered order-cancellation request described as cancelling all existing open orders, rather than only orders created by this strategy or selected markets.

Skill content

def cancel_open_orders(dry_run=True):
    """Cancel all existing open orders via DELETE /api/sdk/orders."""
    ...
    get_client()._request("DELETE", "/api/sdk/orders")

Recommendation

Before live use, confirm whether the API endpoint supports scoping by source, market, or order ID, and modify the skill to cancel only its own orders or ask for explicit confirmation before broad cancellation.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If the key has live-trading permissions, the skill can place and cancel orders using the user's account.

Why it was flagged

The API key requirement is disclosed and expected for a trading skill, but it gives the skill delegated authority over the user's trading account.

Skill content

`SIMMER_API_KEY` | ✅ Yes | Your Simmer API key — get it at simmer.markets/dashboard → SDK tab

Recommendation

Use paper mode first, use a restricted key or separate account if available, and only provide a live key when you are comfortable with the trading authority granted.

Medium

#ASI08: Cascading Failures

What this means

A live run can leave orders active after the agent stops, creating ongoing financial exposure.

Why it was flagged

Good-Till-Cancelled orders are expected for this market-making strategy, but they persist beyond the script run until filled or cancelled.

Skill content

get_client().trade(
    market_id=market_id,
    side=side,
    amount=amount,
    order_type="GTC",
    price=price,

Recommendation

Monitor open orders after each run and have a clear process to cancel the skill's orders when you no longer want the exposure.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The external SDK will handle sensitive trading operations with the provided API key.

Why it was flagged

The skill relies on an external Python package for credentialed trading functionality. This is purpose-aligned, but users should trust the dependency source before providing an API key.

Skill content

"requires": {
    "env": ["SIMMER_API_KEY"],
    "pip": ["simmer-sdk"]
  }

Recommendation

Install the dependency from a trusted package index, review the SDK provenance if possible, and keep it updated.