Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Polymarket Weather Trader
v1.17.2Trade Polymarket weather markets using NOAA (US) and Open-Meteo (international) forecasts via Simmer API. Inspired by gopfan2's $2M+ strategy. Use when user...
⭐ 4· 4.5k·18 current·21 all-time
byAD88@adlai88
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and code match: it queries NOAA/Open‑Meteo, uses a Simmer SDK, discovers Polymarket weather markets and can execute trades. Requiring a Simmer API key and an ability to sign orders (wallet key) is consistent with live trading. However, registry metadata at the top claimed 'Required env vars: none' while clawhub.json and the code require SIMMER_API_KEY, and SKILL.md instructs the user to supply WALLET_PRIVATE_KEY — this mismatch is an incoherence to be aware of. Also: the package is described as instruction‑only but contains runnable Python code (weather_trader.py) — that's acceptable but worth noting.
Instruction Scope
SKILL.md explicitly tells the agent/operator to ask for and store the user's WALLET_PRIVATE_KEY in an environment variable for live trading. Storing private keys in environment variables and having the skill handle signing is functionally required for automated execution, but it is sensitive and increases risk. The instructions also tell users to set many tuning env vars and to set up cron/scheduling. There is no instruction to use a dedicated, limited‑fund wallet or to take other safety precautions when providing private keys.
Install Mechanism
There is no arbitrary download/install script. The skill expects the simmer-sdk pip package (both SKILL.md and clawhub.json reference this) and includes Python source files. No remote code download URLs or extract steps were observed in the manifest. This is a normal install pattern for a Python skill.
Credentials
Requesting SIMMER_API_KEY is proportional to the stated functionality. Requesting a WALLET_PRIVATE_KEY is also explainable for live trading, but WALLET_PRIVATE_KEY is not declared in the skill's declared required env list (top-level metadata said none; clawhub.json only lists SIMMER_API_KEY). That mismatch is suspicious because a highly sensitive credential (private key) is asked for in SKILL.md but not declared as a required credential in the manifest. The code also reads additional envs (AUTOMATON_MAX_BET, TRADING_VENUE) that are not highlighted in top-level metadata but are benign operational controls.
Persistence & Privilege
The skill does not request always:true and is user‑invocable only. clawhub.json marks the automaton as managed with an entrypoint to weather_trader.py (expected for a runnable trading skill). There is no evidence it attempts to modify other skills or system-wide configs. Autonomous invocation is allowed by default on the platform (disable-model-invocation is false) — combine this with sensitive credentials only after careful consideration.
What to consider before installing
This skill appears to implement automated trading as advertised, but it asks you to provide sensitive credentials (SIMMER_API_KEY and — for live trading — your wallet private key). Before installing or running: 1) Verify provenance: this package's source/author is unknown. Prefer skills from known publishers. 2) Inspect the simmer-sdk package and confirm it is the official SDK (pip name matches, but check package maintainer and code). 3) Never put large balances under an automated skill: create a dedicated wallet with minimal funds for live trading and rotate keys if possible. 4) Prefer signing with a hardware wallet or an external signer if supported (avoid storing long‑term private keys in plain env vars on shared systems). 5) Because the manifest/metadata is inconsistent (top metadata omitted required envs but SKILL.md requests WALLET_PRIVATE_KEY), ask the publisher to clarify required env vars and where keys are stored/used. 6) Run in dry‑run / --live=false mode first and monitor network calls and trades; review logs and use status script before enabling cron/autonomous runs. If you are not comfortable supplying a private key, do not enable live trading.Like a lobster shell, security has layers — review code before you run it.
latestvk97avfxbd8jnt9h65v24xm20qd84zr8w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.