Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Polymarket Wallet Xray
v1.1.2X-ray any Polymarket wallet — skill level, entry quality, bot detection, and edge analysis. Queries Polymarket's public APIs, no authentication needed. Inspi...
⭐ 0· 753·8 current·8 all-time
byAD88@adlai88
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill advertises that it queries Polymarket public APIs with no authentication, and wallet_xray.py indeed uses public Polymarket endpoints. However, the package metadata (clawhub.json), README, and SKILL.md Setup Flow require installing simmer-sdk and setting SIMMER_API_KEY. That API key is only used by scripts/status.py (an optional account-status helper), not by the main wallet analysis. Requiring a credential for functionality that doesn't need it is disproportionate and inconsistent.
Instruction Scope
The runtime instructions primarily call public data APIs and compute metrics — this stays within the stated analysis purpose. They do instruct the user to install simmer-sdk and store a SIMMER_API_KEY for the account-status helper; that is an optional feature but is presented in the same install flow, which could confuse users into providing secrets unnecessarily. There are no instructions to read unrelated files or to transmit results to unknown endpoints.
Install Mechanism
There is no separate install script; the repo is instruction+script-only. clawhub.json declares a pip dependency on simmer-sdk (a standard registry install), which is reasonable for the provided scripts. No downloads from unknown hosts or extraction of archives are present. The unknown upstream source/owner and missing homepage reduce transparency but do not indicate a risky install mechanism by themselves.
Credentials
clawhub.json lists SIMMER_API_KEY as a required env var even though the main wallet_xray analysis does not use it. The only place the key is used is scripts/status.py to query a Simmer account. Requiring a secret as part of install metadata when it is only needed for an optional helper is disproportionate and may pressure users into sharing a credential unnecessarily.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always: false). It does not modify other skills or system-wide settings. Autonomous invocation is allowed by default but is not combined with any other high-risk flags here.
What to consider before installing
This skill's main analysis (wallet_xray.py) uses public Polymarket endpoints and does not require credentials, but the package metadata and setup ask you to install simmer-sdk and provide SIMMER_API_KEY. Before installing or exporting any secret: 1) Understand that SIMMER_API_KEY is only used by scripts/status.py (an optional helper) — you can run wallet_xray.py without it. 2) If you don't need account-status functionality, do NOT set SIMMER_API_KEY in your environment. 3) Inspect the simmer-sdk package on PyPI and review scripts/status.py to ensure you’re comfortable with its API calls. 4) Because the skill source has no homepage and an unknown owner, consider running it in an isolated environment (container/VM) first. 5) If possible, ask the publisher to clarify why SIMMER_API_KEY is declared as required and to separate optional account-status functionality from the core public-data analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97b3pss1h3njeq2s8tq9zvns984zhcn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.