Polymarket NegRisk Arbitrage
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is aligned with arbitrage trading, but it can use an API key to run quiet scheduled live trades, so it needs careful review before installation.
Install only if you intentionally want automated trading. Start with dry-run or simulated venue, disable the managed cron unless needed, use a limited API key, set low budgets, and do not rely on the 'risk-free' wording without independently checking the market and execution assumptions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with a funded or real-trading venue, the skill could open positions and spend funds automatically.
In live mode the script submits batch trades to an external trading API. This is purpose-aligned, but it is a high-impact account mutation and the visible flow does not require a fresh user approval for each trade.
response = requests.post("https://api.simmer.markets/api/sdk/trades/batch", ... json={"trades": trades, "venue": cfg["venue"], "source": TRADE_SOURCE, "skill_slug": SKILL_SLUG,Use dry-run or simulated venue first, require manual confirmation before live trades, and set strict position and daily budget limits.
The skill may continue running and placing trades on a schedule after initial setup unless the automaton is disabled.
The skill declares a managed scheduled automaton that runs the trader in live quiet mode every two hours, enabling persistent autonomous trading.
"cron": "0 */2 * * *", "automaton": { "managed": true, "entrypoint": "negrisk_arb.py --live --quiet" }Disable the managed automaton unless you explicitly want scheduled trading, and verify how to stop or revoke it before using live mode.
A user may not realize the skill needs a credential capable of accessing or trading in their Simmer/Polymarket account.
The script uses a bearer API key for authenticated trading, while the registry metadata reports no required env vars and no primary credential. That under-discloses the account authority needed.
api_key = os.environ.get("SIMMER_API_KEY") ... "Authorization": f"Bearer {api_key}"Use the least-privileged API key available, avoid funded accounts until tested, and ensure the registry metadata clearly declares SIMMER_API_KEY and trading authority.
Users may trust the strategy more than warranted and allow live automated trading without understanding the remaining risks.
The documentation repeatedly frames the strategy as risk-free or guaranteed, which can overstate safety for live financial trading where grouping, liquidity, fees, execution, settlement, or configuration can still create losses.
buy all sides simultaneously via batch trade to lock in risk-free profit
Treat the strategy as risky financial automation, verify market grouping and execution assumptions manually, and avoid relying on 'risk-free' claims.
Installing the dependency may run or import code outside the reviewed skill files.
The skill depends on an external pip package without a pinned version. This is common for integrations, but users should know external code is required.
"requires": { "pip": ["simmer-sdk"], "env": ["SIMMER_API_KEY"] }Pin and review the dependency version where possible, and install it in an isolated environment.