Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Simmer Market Maker
v1.0.0Places GTC limit orders on both sides (bid/ask) of liquid Polymarket markets. Finds active markets with >$10k 24h volume, mid-range prices, and ample time to...
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and market_maker.py implement a Polymarket market‑maker using a Simmer SDK and a Polymarket CLOB endpoint; the required simmer SDK and SIMMER_API_KEY are coherent with that purpose. However, the top-level registry metadata in the evaluation header claimed no required env vars while clawhub.json and SKILL.md both require SIMMER_API_KEY — a manifest inconsistency that reduces trust in the package metadata.
Instruction Scope
Runtime instructions and code stay within the stated domain: fetching markets, computing midpoints (via CLOB endpoint), cancelling and placing GTC orders, and managing a small config. There are no instructions to read unrelated host files, crawl shell history, or exfiltrate arbitrary data to unknown endpoints. The only network targets are the Simmer API (via simmer-sdk/_request) and Polymarket CLOB at clob.polymarket.com.
Install Mechanism
No install script is included (instruction-only install), and required dependency is a pip package (simmer-sdk) — which is an expected delivery method. There are no arbitrary downloads or extract actions in the skill files. Still, the package lacks a homepage and the owner/publish provenance is weak; you should verify the simmer-sdk package source and integrity before installing.
Credentials
The skill requires a single API key (SIMMER_API_KEY) and an optional TRADING_VENUE — both reasonable for a trading bot. The concern is the manifest mismatch: some registry metadata claimed no required env vars while the bundled clawhub.json and SKILL.md require SIMMER_API_KEY. That mismatch could cause users to miss that they're exposing an API key to this code. Also confirm what rights the SIMMER API key grants (trading vs read-only) before using it for live trades.
Persistence & Privilege
The skill is not flagged always:true and is user-invocable only; it does not request system‑wide privileges. It uses load_config/update_config to manage its own config files (normal). Autonomous invocation is allowed by default but not combined here with other high‑risk flags.
What to consider before installing
This skill appears to implement what it claims (a Polymarket market maker) and only needs a Simmer API key and the simmer-sdk package — both reasonable for trading. However: 1) the package lacks an external homepage and the registry metadata is inconsistent about required environment variables, so verify the source and trust the owner before installing; 2) inspect the simmer-sdk package (where network/trade calls are implemented) to confirm it doesn't do unexpected work or store your API key insecurely; 3) check what permissions the SIMMER_API_KEY grants (ensure it isn't broader than necessary, e.g., doesn't grant withdrawals); 4) run in paper/sim mode first (TRADING_VENUE=sim and --dry run) and review logs; 5) consider running in an isolated environment and rotate the API key after initial tests. If you want, I can list the specific lines that access external endpoints and the exact manifest mismatches to help you audit further.Like a lobster shell, security has layers — review code before you run it.
latestvk97f1ahdqpd1jtb3ztzbwncsmx8473b2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.