ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polymarket Market Importer

v1.0.0

Auto-discover and import Polymarket markets matching your keywords, tags, and volume criteria. Runs on a schedule so you never miss a new market worth tradin...

0· 24·0 current·0 all-time
by@richducat·fork of @djdyll/polymarket-market-importer (1.0.3)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md clearly implement a Simmer-backed Polymarket importer and require SIMMER_API_KEY — that is coherent with the stated purpose. However the registry summary at the top of the evaluation indicated "Required env vars: none," while clawhub.json, SKILL.md, and market_importer.py all require SIMMER_API_KEY. Also the ownerId and version fields differ between the provided registry metadata and _meta.json/clawhub.json, which suggests packaging/metadata drift (repackaging or stale registry entry).
Instruction Scope
Runtime instructions (install simmer-sdk, set SIMMER_API_KEY, configure filters, run in dry-run then --live) match the code's behavior. The code only calls the simmer-sdk client methods (list_importable_markets, import_market), filters results, and persists seen market IDs. It does read an optional TRADING_VENUE env var and writes imported_markets.json in the skill directory — both are consistent with the importer purpose.
Install Mechanism
Installation is via pip (simmer-sdk) which is standard and expected. There is no download-from-URL or archive extraction in the package. The skill is instruction/code based with no additional installer, which is low-to-moderate risk and consistent with the declared dependency.
Credentials
The only secret needed is SIMMER_API_KEY, which is appropriate for a tool that interacts with the Simmer API. The concern is not the credential itself but the inconsistency between metadata listings (one place claims no required env vars while the code requires the API key). Confirm which metadata is authoritative before handing over a key.
Persistence & Privilege
The skill is not always-included and does not request elevated platform privileges. It persists a local file (imported_markets.json) for deduplication and config via simmer-sdk; it does not modify other skills or global agent settings. Cron scheduling is declared in clawhub.json (0 */6 * * *) but autostart is false.
What to consider before installing
This skill appears to implement the advertised importer and only needs your Simmer API key, but there are mismatches in the package metadata (required env vars, ownerId, and version). Before running with --live: 1) verify the publisher/owner and that clawhub.json/_meta.json match the repository you trust; 2) inspect simmer-sdk (the pip package) to confirm it is the official SDK you expect; 3) run a dry run (python market_importer.py) and review imported_markets.json location and contents; 4) store SIMMER_API_KEY in a safe place (not in plaintext cron jobs) and avoid passing it to untrusted copies of this skill; 5) only enable scheduled runs after you confirm the skill is from a trusted source and its metadata is consistent.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760xerpjjt1j070ehc84ekk5847nq9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments