ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SimpleFunctions

v0.1.0

SimpleFunctions — AI-native prediction market runtime for Kalshi & Polymarket. Thesis tracking, edge scanning, position monitoring, and trade execution via C...

0· 108·0 current·0 all-time
by@patrickliu0077

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for patrickliu0077/simplefunctions.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "SimpleFunctions" (patrickliu0077/simplefunctions) from ClawHub.
Skill page: https://clawhub.ai/patrickliu0077/simplefunctions
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: sf
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install simplefunctions

ClawHub CLI

Package manager switcher

npx clawhub@latest install simplefunctions
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is a prediction-market trading/runtime which reasonably requires the 'sf' CLI and market API credentials (Kalshi, SimpleFunctions). However, the registry metadata lists no required environment variables or install spec while the SKILL.md clearly documents SF_API_KEY, KALSHI_API_KEY_ID, KALSHI_PRIVATE_KEY_PATH and an npm install for @spfunctions/cli. That mismatch between declared metadata and the runtime instructions is incoherent and worth questioning.
!
Instruction Scope
SKILL.md tells the agent to run many sf CLI commands (scan, trade, evaluate, agent, setup) and to configure Telegram alerts. The instructions reference a filesystem private key path (KALSHI_PRIVATE_KEY_PATH) and tokens. While these actions are within the stated domain (trading/monitoring), they give agents/CLI the ability to access local keys and execute trades — scope is broader and higher-risk than the registry claims.
Install Mechanism
Installation is via npm (@spfunctions/cli), which is a common but moderate-risk vector (unreviewed third‑party package). The registry manifest claimed 'No install spec', yet SKILL.md includes an install entry and npm install instructions — another internal inconsistency to verify. No direct downloads or archive extraction are present in the instructions.
!
Credentials
The SKILL.md requires multiple sensitive items: SF_API_KEY, KALSHI_API_KEY_ID, and a KALSHI_PRIVATE_KEY_PATH (private key file), plus optional Telegram bot token. None of these were declared in the registry 'required env vars' list. Requesting a private key path and trading credentials is high-impact and should be explicitly declared and justified; the omission is suspicious.
Persistence & Privilege
The skill is not set to 'always: true' and is user-invocable only. Autonomous invocation is allowed by default (normal), which combined with trading credentials could permit the agent to place orders without additional human confirmation — this is expected behavior for a trading skill but increases blast radius, so exercise caution when granting credentials.
What to consider before installing
This skill appears to be a legitimate CLI wrapper for prediction-market trading, but the SKILL.md and registry metadata disagree: the runtime docs reference sensitive credentials (SF_API_KEY, KALSHI_API_KEY_ID, KALSHI_PRIVATE_KEY_PATH) and a Telegram bot token that are not listed in the registry. Before installing or providing credentials: 1) Verify the npm package @spfunctions/cli on npmjs.org (author, downloads, recent versions) and inspect its source code (or the GitHub repo) to ensure it doesn't exfiltrate keys. 2) Prefer least-privilege keys: use API keys with only read or simulated/trading scopes for testing, and avoid placing long-lived private keys on disk if possible. 3) Do not grant trading credentials until you confirm how the agent will obtain explicit confirmation before executing real trades (or run in manual mode). 4) Treat KALSHI_PRIVATE_KEY_PATH as highly sensitive — keep it in a protected location or use a dedicated key with limited permissions. 5) If you rely on Telegram alerts, consider using a bot account with limited exposure. 6) Ask the publisher to correct the registry metadata so required env vars and install steps are explicit. If you cannot validate the npm package source, run the CLI in an isolated environment or avoid supplying live trading credentials.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📈 Clawdis
Binssf
latestvk974pjnnrfatmngzjevzwf681h83bhk4
108downloads
0stars
1versions
Updated 1mo ago
v0.1.0
MIT-0
@patrickliu0077
latest
Download

SimpleFunctions

AI-native prediction market runtime. Track theses, scan for mispriced contracts on Kalshi and Polymarket, monitor positions, and trade — all through a single CLI built for agents.

Setup

npm install -g @spfunctions/cli
sf setup          # Interactive configuration wizard

Requires a SimpleFunctions account (free tier available at simplefunctions.dev).

Core Commands

Thesis Management

# List all theses
sf list

# Create a new thesis
sf create "Fed will cut rates by 50bps in Q2 2025"

# Get thesis context (primary command for agents)
sf context <thesis-id>

# Inject a signal into the thesis queue
sf signal <thesis-id> "CPI came in hotter than expected"

# Trigger deep evaluation
sf evaluate <thesis-id>

Market Scanning

# Scan Kalshi for contracts matching a query (no auth required)
sf scan "oil prices"

# Top edges across all theses — what to trade right now
sf edges

# Explore public theses
sf explore

Positions & Trading

# Show Kalshi positions with thesis edge overlay
sf positions

# Show resting orders
sf orders

# Account balance
sf balance

# Settled contracts with P&L
sf settlements

Dashboard

# Terminal portfolio dashboard
sf dashboard

Upcoming Events

# Kalshi calendar events
sf milestones

# Market distribution forecast (P50/P75/P90 history)
sf forecast <event-ticker>

Telegram Alerts (Human Users)

Set up Telegram monitoring so SimpleFunctions can push confidence changes and alerts to your phone:

sf telegram --token YOUR_BOTFATHER_TOKEN

Then send /start in Telegram and the bot auto-detects your thesis.

API Keys

  • SF_API_KEY — SimpleFunctions API token (from simplefunctions.dev)
  • KALSHI_API_KEY_ID + KALSHI_PRIVATE_KEY_PATH — for position/order data

Set via environment variables or sf setup.

Notes

  • All commands support --json for scripted/agentic use
  • sf agent <thesis-id> launches interactive natural language mode
  • No auth required for sf scan and sf explore
  • Free plan includes 15M tokens; charge per token after that

Comments

Loading comments...