Polymarket Signal Sniper
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed Polymarket trading automation, but it needs sensitive trading credentials and some advertised safety-limit controls do not match the variables the code actually reads.
Review carefully before installing. Start with dry-run or scan-only mode, use a dedicated low-balance wallet, explicitly set the code-recognized trade limits, and verify the Simmer SDK version before enabling live or recurring trading.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user relies on the platform controls, the bot may trade using defaults or separately configured values instead of the confidence threshold or max-trades limit the user thought they set.
These exposed ClawHub tunables do not match the code's CONFIG_SCHEMA variables for the same controls, which use SIMMER_SNIPER_CONFIDENCE and SIMMER_SNIPER_MAX_TRADES. Because the skill can execute live trades, UI changes to key safeguards may be ignored.
"env": "SIMMER_SNIPER_CONFIDENCE_THRESHOLD" ... "env": "SIMMER_SNIPER_MAX_TRADES_PER_RUN"
Do not run with --live until the effective settings are verified. Explicitly set SIMMER_SNIPER_CONFIDENCE, SIMMER_SNIPER_MAX_USD, and SIMMER_SNIPER_MAX_TRADES, or ask the publisher to align clawhub.json with the code.
Anyone or anything with access to these environment variables may be able to access the Simmer account or sign live Polymarket orders.
The skill clearly requests API and wallet credentials for the expected trading integration. This is purpose-aligned, but it grants sensitive account and wallet authority.
Ask for Simmer API key ... Store in environment as `SIMMER_API_KEY` ... Ask for wallet private key ... Store in environment as `WALLET_PRIVATE_KEY` ... uses this to sign orders client-side automatically
Use a dedicated low-balance wallet/API key, prefer paper or dry-run mode first, and avoid storing a private key in shared environments.
A future SDK version could change behavior in ways the skill artifacts do not show.
The skill depends on an external SDK using a lower-bound version rather than an exact pinned version. This is expected for the Simmer integration, but supply-chain trust matters because the SDK participates in trading and credential handling.
"pip": ["simmer-sdk>=0.11.1"]
Install in an isolated environment and consider pinning/reviewing the simmer-sdk version before using live trading credentials.
If the user later enables recurring execution with live trading, the skill can continue scanning and placing trades without a manual command each time.
The package declares a managed automaton entrypoint but does not autostart or schedule it by default. This is consistent with optional recurring scans, but users should understand when automation is enabled.
"cron": null, "autostart": false, "automaton": { "managed": true, "entrypoint": "signal_sniper.py" }Keep autostart/cron disabled until the strategy is tested, and monitor any scheduled live runs closely.