Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Prediction Trade Journal
v1.0.0Auto-log trades with context, track outcomes, generate calibration reports to improve trading.
⭐ 0· 26·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe a trade journal and the code implements exactly that: polling https://api.simmer.markets, storing trades in data/trades.json, updating outcomes, exporting reports. Requesting an API key (SIMMER_API_KEY) is appropriate for this purpose. However, registry-level 'Requirements' listed at the top of the pack show none while clawhub.json and SKILL.md require SIMMER_API_KEY and a pip dependency — a metadata mismatch.
Instruction Scope
SKILL.md instructions map to the code: sync, history, report, export. The runtime instructions and code only access the Simmer API and local files in the skill directory (data/, config.json). The code does read environment variables beyond the single documented SIMMER_API_KEY (it also honors SIMMER_API_URL and SIMMER_JOURNAL_* env vars) and exposes a log_trade() integration point for other skills to add context to local records — this is expected but worth noting.
Install Mechanism
This is instruction+code with no explicit install spec, which is low-risk. However clawhub.json declares a pip dependency ('simmer-sdk') even though there's no install script in the package metadata — installing that dependency would pull third-party code from PyPI. That is a standard dependency for this purpose but should be trusted/reviewed before installation.
Credentials
The skill requires a single service credential (SIMMER_API_KEY) which is proportional to fetching trades. Additional environment variables (SIMMER_API_URL, SIMMER_JOURNAL_FETCH_LIMIT, SIMMER_JOURNAL_AUTO_SYNC) are used by the code but not all are documented in SKILL.md or clawhub.json; this is sloppy but not necessarily malicious. The skill does not request unrelated secrets or cloud credentials.
Persistence & Privilege
The skill stores data and config under its own directory (data/*.json, config.json) and does not request always:true or elevated system privileges. It can be invoked autonomously (normal default) but does not modify other skills or system-wide settings.
What to consider before installing
This package largely does what it says: it syncs trades from Simmer and saves them locally. Before installing, verify the following: 1) Confirm you trust the 'simmer-sdk' PyPI package (clawhub.json lists it) — inspect that package or install in an isolated env. 2) Protect your SIMMER_API_KEY: the skill will use it to fetch your trades; consider creating a read-only or limited API key if Simmer supports it. 3) Be aware data/trades.json and context.json are stored in the skill folder and may contain sensitive trade positions/thesis — treat or encrypt/limit access accordingly. 4) Note metadata/documentation mismatches (registry header vs. clawhub.json vs. SKILL.md): the code also uses SIMMER_API_URL and SIMMER_JOURNAL_* env vars even if not documented. 5) If you want stronger assurance, review the full tradejournal.py and the simmer-sdk dependency source, or run the skill in an isolated container/VM and monitor outbound requests (they should go to api.simmer.markets or your SIMMER_API_URL).Like a lobster shell, security has layers — review code before you run it.
latestvk97cjpg8gz1q0a3ejp47x8p5z5847wf5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.