Polymarket Mert Sniper
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a real-money crypto prediction-market trading bot, and its documented safeguards do not fully match the provided runtime/tunable defaults.
Do not run this with --live until you have explicitly set and verified the effective max bet, max trades, expiry window, and min split values. Use dry-run first, use a dedicated low-balance wallet, and treat the Simmer API key and any wallet private key as sensitive.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could authorize live trading under one set of assumptions while the configured limits allow larger or less selective trades than expected.
These tunables affect a real-money trading bot. They conflict with the documented/code defaults that describe a $10 max bet and a 0.60 minimum split, so users may believe stronger limits are in place than the runtime configuration actually presents.
"env": "SIMMER_MERT_MAX_BET_USD", "default": 50 ... "env": "SIMMER_MERT_MIN_SPLIT", "default": 0.1, "range": [0.01, 0.5]
Before running with --live, manually verify the actual environment variables used by the script, set explicit max bet and min split values, and test in dry-run mode.
Users may over-trust the stated safeguards and enable live trading without realizing the configured parameters may be different.
The documentation emphasizes conservative trading defaults, but the provided clawhub.json tunables expose different defaults for max bet and minimum split. For a live trading skill, misleading or inconsistent safety expectations are material.
Max bet: Maximum per trade (default $10) ... Min split: Minimum odds skew (default 60/40) ... Dry run (default -- shows opportunities, no trades)
The publisher should align SKILL.md, clawhub.json, config.json, and code defaults, and users should confirm the effective configuration before enabling live trades.
If the environment or dependency is compromised, the wallet key could put wallet funds at risk.
A wallet private key controls funds and is highly sensitive. Its use is purpose-aligned for self-custody live trading, and the artifacts do not show credential logging or exfiltration, but the authority is significant.
Ask for wallet private key (required for live trading) ... Store in environment as `WALLET_PRIVATE_KEY` ... The SDK uses this to sign orders client-side automatically
Use a dedicated, low-balance trading wallet, prefer managed-wallet flows if available, and avoid storing a main wallet private key in the environment.
Future dependency changes could affect how trading or credential handling works.
The skill depends on an external SDK with a lower-bound version rather than a pinned exact version. This is expected for the Simmer trading integration, but the dependency handles trading and credentials.
"pip": [ "simmer-sdk>=0.11.1" ]
Install from trusted package sources, consider pinning a reviewed SDK version, and review SDK release notes before live trading.