ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Simmer Skill Builder

v1.2.3

Generate complete, installable OpenClaw trading skills from natural language strategy descriptions. Use when your human wants to create a new trading strateg...

0· 819·9 current·9 all-time
byAD88@adlai88
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (generate runnable Simmer trading skills) aligns with the included templates, examples, and helper scripts which legitimately need the Simmer SDK and SIMMER_API_KEY. However the registry metadata (requirements reported earlier) lists no env vars or credentials while the included clawhub.json and SKILL.md repeatedly require SIMMER_API_KEY and simmer-sdk. That mismatch is unexpected and worth investigating.
!
Instruction Scope
SKILL.md instructs the agent to create full skill folders on disk (SKILL.md, clawhub.json, Python script, scripts/status.py), copy boilerplate verbatim, fetch external API docs if needed, and use the SIMMER_API_KEY from the environment. Those actions are coherent for a skill-generator but they grant the skill the ability to write executable code and potentially fetch arbitrary external docs — a broader scope than a read-only helper. Also the SKILL.md template explicitly expects automaton entrypoints and environment tunables; the included clawhub.json in this package does not match that expectation (it has automaton.entrypoint null), an internal inconsistency.
Install Mechanism
No install spec / no network download or third-party package installation specified by the registry. The skill is instruction-driven and contains local helper scripts only (status.py, validate_skill.py). No suspicious external archive downloads or URL-based installers were found.
!
Credentials
The actual files (clawhub.json, SKILL.md templates, and scripts) require SIMMER_API_KEY and pip dependency simmer-sdk. The registry-level requirements reported earlier showed none — that's an inconsistency. The Simmer SDK docs inside references also note additional sensitive env vars (WALLET_PRIVATE_KEY, SOLANA_PRIVATE_KEY) are required for some 'real' venues; the builder could generate skills that request those keys later. Asking for SIMMER_API_KEY is proportional for a trading-skill generator, but you should NOT provide live wallet private keys or other secrets unless you fully audit the generated skill.
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills or system-wide agent settings. It will create skill folders and files (normal for a generator) and includes a validate script; these are legitimate for its purpose but you should restrict where it can write and run code.
What to consider before installing
What to check before installing or giving credentials: - Reconcile the mismatch: the registry metadata reported no required env vars but the package contains a clawhub.json and templates that require SIMMER_API_KEY and the simmer-sdk. Assume the skill needs SIMMER_API_KEY unless the publisher explicitly confirms otherwise. - Do NOT supply live wallet private keys (WALLET_PRIVATE_KEY, SOLANA_PRIVATE_KEY) or other private signing keys to this skill or to generated skills unless you fully audited the generated code. The Simmer docs note those are only required for specific real venues; generated skills could include them. - Audit the generated skill folder before running it. The generator will write Python scripts and config files to disk and may instruct the agent to run them. Run scripts in a sandbox or review code manually (look for network endpoints, unexpected POSTs, or obfuscated behavior). - Use a limited (paper/sim) API key or a read-only credential when testing. The Simmer client supports simulated ('sim') venues — prefer those for initial testing. - Run scripts/validate_skill.py on any generated skill folder; it includes checks for common pitfalls. Also inspect clawhub.json to ensure automaton.managed and entrypoint are set as you expect. - Limit the agent's file-write and network permissions if possible; avoid letting it autonomously install or execute newly generated code until you verify it. Confidence notes: The package contents and templates strongly match the claimed purpose (generating Simmer trading skills), but clear inconsistencies between registry-declared requirements and the included files (and between the templates' expectations and the included clawhub.json) make the package suspicious until those mismatches are explained by the publisher.

Like a lobster shell, security has layers — review code before you run it.

latestvk972tkdfwrja581etr0gkdf2cn84dz9c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments