Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Polymarket Fast Loop
v1.5.3Trade Polymarket BTC 5-minute and 15-minute fast markets using CEX price momentum signals via Simmer API. Default signal is Binance BTC/USDT klines. Use when...
⭐ 49· 6.3k·14 current·19 all-time
byAD88@adlai88
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the implementation: the script queries Polymarket (Gamma/CLOB endpoints) and uses Simmer SDK to place trades based on CEX momentum signals. Requiring a Simmer API key is appropriate. However, SKILL.md also instructs the user to provide a WALLET_PRIVATE_KEY for live trades, but the top-level registry metadata (and earlier 'required env vars' field) do not list this; clawhub.json only lists SIMMER_API_KEY. This inconsistency between declared requirements and instructions is unexplained.
Instruction Scope
Runtime instructions direct installation of simmer-sdk, running the Python script on a cron loop, and storing a wallet private key in an environment variable for client-side signing. Asking for a private key is consistent with live trading, but storing it in an env var is sensitive and the SKILL.md gives no secure-alternative guidance (e.g., hardware wallet, remote signing service). The instructions also recommend scheduling autonomous live runs (cron/OpenClaw), which increases risk if credentials are compromised.
Install Mechanism
No arbitrary downloads or extract steps; installation is via pip (simmer-sdk). clawhub.json declares pip dependency simmer-sdk. This is a normal, traceable install mechanism for a Python skill.
Credentials
The skill legitimately needs SIMMER_API_KEY and (for live trading) a WALLET_PRIVATE_KEY. However the registry metadata fields are inconsistent: the top-level summary indicated no required env vars, clawhub.json requires SIMMER_API_KEY, and SKILL.md requests WALLET_PRIVATE_KEY. The skill also reads other environment variables (TRADING_VENUE, AUTOMATON_MAX_BET and several configurable env names), which is plausible but not fully reflected in high-level metadata. Requiring a private key is proportional for signing trades but is a high-sensitivity credential and merits clearer declaration and safer handling guidance.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It writes a local daily_spend.json file and is designed to be run on a schedule. There is no 'always: true' or other elevated persistence requested.
What to consider before installing
This skill appears to implement an automated Polymarket fast-market trader and will place real USDC trades if you run it with --live. Before installing: 1) Note that live trading requires sensitive secrets — SIMMER_API_KEY (declared) and a wallet private key (SKILL.md requests WALLET_PRIVATE_KEY). The metadata is inconsistent about the private key; assume live trading will need it. 2) Prefer using a signing service or hardware wallet where possible instead of storing raw private keys in environment variables. If you must use an env var, keep the environment isolated and rotate keys after testing. 3) Run in dry-run mode first and inspect the fastloop_trader.py source yourself (it calls Polymarket CLOB and Simmer endpoints and writes a local daily_spend.json). 4) Confirm you trust the simmer-sdk package from PyPI (pip install simmer-sdk) and consider vetting that library. 5) Be cautious about scheduling autonomous cron runs for live trades — automated execution increases exposure if credentials are leaked. If you want help auditing specific code paths (e.g., where the private key is used), provide the rest of fastloop_trader.py and I can review the exact handling.Like a lobster shell, security has layers — review code before you run it.
latestvk973x5pr2s7hrfksd8gg0d8g6h84yvst
License
MIT-0
Free to use, modify, and redistribute. No attribution required.