Simmer Skill Builder
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent trading-skill generator, but generated bots can use real trading credentials and place live prediction-market trades if the user enables them.
Install only if you intend to build trading bots. Treat generated skills as financial automation: inspect the code, keep credentials in secure environment variables, run in dry-run mode first, set strict position limits, and review any Automaton tuning before allowing live trades.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
54/54 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated bot could spend real funds or change market positions if the user runs it with live trading enabled.
The generated skill template includes a live-trading mode and SDK trade calls, so generated outputs can place buy/sell orders when run with live mode.
python <script>.py # Dry run python <script>.py --live # Real trades ... result = get_client().trade(
Run generated skills in dry-run/paper mode first, inspect the generated code, and set conservative max trade and max position values before using `--live`.
If these credentials are exposed or misused, someone could access trading account functions or place real-money trades.
The Simmer trading workflow uses API credentials and, for real venues, wallet/private-key credentials. This is expected for the stated trading purpose but is high-impact account authority.
api_key="sk_live_...", # Required: from SIMMER_API_KEY env var ... `polymarket` (real USDC) | ... Requires `WALLET_PRIVATE_KEY` env var.
Use least-privilege credentials where available, keep wallet keys out of generated files, prefer environment variables or secure secret storage, and revoke/rotate keys if a generated skill behaves unexpectedly.
Installing or running generated skills may pull code from the Python package ecosystem, so package compromise or unexpected updates could affect trading behavior.
The skill declares a pip dependency on `simmer-sdk` without a pinned version. This is normal for this integration, but users depend on the package’s provenance and future updates.
"requires": {
"env": ["SIMMER_API_KEY"],
"pip": ["simmer-sdk"]
}Install dependencies from trusted indexes, consider pinning and reviewing `simmer-sdk` versions for production bots, and rerun validation after dependency updates.
A bot’s trade sizing, thresholds, or other settings could differ from local defaults if Automaton tuning is configured.
Generated skills may load persistent Automaton tuning that changes runtime parameters across runs. This is documented and purpose-aligned, but it means stored remote configuration can influence trading decisions.
Config priority: `config.json > automaton tuning > env vars > defaults`. When `slug` is provided, `load_config` automatically fetches tuned config from the Simmer Automaton
Review Automaton tuning before live trading, use local `config.json` for hard caps, and disable or avoid remote tuning if you want fully local, predictable parameters.