Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Polymarket Fast Loop
v0.1.0Trade Polymarket BTC 5-minute and 15-minute fast markets using CEX price momentum signals via Simmer API. Default signal is Binance BTC/USDT klines. Use when...
⭐ 0· 431·0 current·0 all-time
by@redrepz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included code: the script discovers Polymarket 'fast' markets and uses a Simmer SDK client and CEX (Binance/CoinGecko) price feeds to decide trades. The code calls Polymarket's Gamma API and external price APIs which is coherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to ask for and store WALLET_PRIVATE_KEY for live trading and to run cron/loops; that is beyond simply needing an API key and introduces a high-sensitivity operation (full wallet control). The instructions also allow writing config.json and daily_spend.json (local state) — expected — but the explicit step to collect the wallet private key expands the scope to custody of funds.
Install Mechanism
There is no install spec (instruction-only with bundled Python script). No external archive downloads or package installs are triggered by the registry metadata. The only dependency referenced is simmer-sdk (and optionally tradejournal), which is consistent with function.
Credentials
Registry-required env vars list only SIMMER_API_KEY, but SKILL.md and the code expect multiple optional SIMMER_SPRINT_* settings and — importantly — instruct the user to supply WALLET_PRIVATE_KEY for live trades. Requesting a private key is a high-privilege, high-risk requirement and it is not declared in the skill metadata. The skill also reads/writes local config/state files; that is reasonable, but the undeclared request for a private key is disproportionate to what the registry claims.
Persistence & Privilege
The skill does not request always:true and does not modify other skills' configs. It writes its own config.json and daily_spend.json in the skill directory (expected). It will perform live trades if run with --live; autonomous invocation is allowed by default but not set to always, which is appropriate for a trading skill.
Scan Findings in Context
[no_pre_scan_findings] expected: The static pre-scan reported no injection signals. That does not imply safety — the SKILL.md and code contain sensitive behavior (wallet private key usage and live trading) that static scanners may not flag.
What to consider before installing
This skill is functionally coherent with trading Polymarket sprint markets, but it asks you to supply and store your wallet private key for live trades while the registry only declares an API key requirement — that's the main red flag. Before installing or using it live: (1) treat the wallet private key as highly sensitive — avoid placing it in environment variables on shared hosts or CI; prefer an isolated machine, a hardware wallet, or a signing service with minimal privileges; (2) run the script in dry-run mode extensively and review the simmer-sdk package and the skill code yourself (or in a sandbox) to confirm no unexpected network endpoints or exfil behaviors; (3) ask the maintainer to update the registry metadata to declare WALLET_PRIVATE_KEY (and any other required envs) so the requirement is explicit; (4) if you must run live, limit exposure by using a wallet with only the minimum USDC needed and rotate keys after tests; and (5) consider running this on an isolated VM/container with restricted network access until you're confident of its behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97fqbya08cpddsc9j1xsk5j9s81v971
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis
EnvSIMMER_API_KEY