Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Polymarket Candle Momentum
v1.0.0Trade Polymarket 5-minute crypto fast markets using 1-minute candle body analysis and volume surge detection from Binance. Scans BTC, ETH, SOL, XRP, BNB simu...
⭐ 0· 26·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (scan Binance candles and place trades via Simmer/Polymarket) matches the code: it calls Binance public klines and uses a SimmerClient / Simmer REST API to discover markets and execute trades. Requesting SIMMER_API_KEY is coherent with this purpose. However, the registry metadata above the files says 'Required env vars: none' while both SKILL.md and clawhub.json declare SIMMER_API_KEY — this mismatch is an incoherence in the published metadata.
Instruction Scope
SKILL.md instructs only to provide SIMMER_API_KEY and run the script (dry-run by default; --live to trade). The Python code reads only config env vars (CM_*) and SIMMER_API_KEY (plus optional TRADING_VENUE), uses Binance public endpoints, and does not read host files or other secrets in the visible portion. No evidence that it transmits unrelated local data. The file is truncated in the manifest, so the final sections should be reviewed, but the visible instructions stay within the trading scope.
Install Mechanism
There is no binary download/install script; dependencies are standard Python packages (simmer-sdk, requests) listed in SKILL.md and clawhub.json. This is proportionate for a Python trading script. There are no downloads from unknown URLs or archives that would raise high install risk.
Credentials
The skill legitimately needs a Simmer API key to place trades (SIMMER_API_KEY). It also supports several CM_* env var overrides and reads an optional TRADING_VENUE env var in get_client(), but these extra env vars are not declared in the top-level registry listing (which said 'none'). The primary secret requested (SIMMER_API_KEY) is proportional to the task, but you should confirm what privileges that API key grants (trade-only vs admin) before using it.
Persistence & Privilege
The skill is instruction-only and does not include an install script that writes files. automaton.managed is false and always:false, so it does not self-enable permanently via automaton settings. clawhub.json includes a cron field and an entrypoint; while the SKILL.md asks users to set up a cron, the presence of a cron entry in metadata could cause confusion about scheduling behavior — clarify whether the platform will schedule it automatically or if the user must. The skill can be invoked autonomously via the platform (disable-model-invocation is false) which is typical; combine this with API-key access only if you trust the key.
What to consider before installing
This skill appears to implement the described Binance-candle + Simmer trading signal, but there are inconsistencies you should resolve before handing over a live API key:
- Metadata mismatches: the registry summary claims 'no required env vars' while SKILL.md and clawhub.json require SIMMER_API_KEY; _meta.json and SKILL.md versions/owner IDs differ. Ask the publisher to explain/clean up these mismatches and confirm ownership.
- SIMMER_API_KEY is a sensitive credential: verify what permissions that key grants (trade-only, per-venue limits, rate limits). Prefer a least-privilege/trade-only key and rotate it after testing.
- Test in dry-run: run the script without --live and review logs and behavior. Inspect the complete candle_momentum.py (the manifest shows it truncated) to ensure no hidden network calls or file access in the unseen portion.
- Review simmer-sdk: because trade execution goes through simmer-sdk, inspect that package (source or pinned version) so you know what client.trade() does and what data is sent.
- Cron/scheduling: confirm whether the platform will auto-schedule the skill using clawhub.json. If you don't want periodic runs, do not create a cron entry and only run manually or via your own scheduler.
If the publisher cannot resolve the metadata discrepancies or you cannot confirm the SIMMER_API_KEY privileges, treat the key as high-risk and do not run --live until you have a scoped test key and full code review.Like a lobster shell, security has layers — review code before you run it.
latestvk9710s2cmmeb1n5jahg28x58qs847s7a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.