ClawHub

Simul8or Trader

v1.0.3

Autonomous AI trading agent for Simul8or, a live market simulator.

11· 3.4k·8 current·8 all-time
by@day-trading-simulator
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (autonomous trading for Simul8or) matches the instructions' intent, but the declared registry metadata lists no required env vars or installs while SKILL.md instructs adding a SIMUL8OR_API_KEY to ~/.openclaw/openclaw.json and installing an npm package (simul8or-trader). The metadata and declared requirements are inconsistent with what's needed to actually operate.
!
Instruction Scope
The SKILL.md directs the agent to install and run a global npm package and PM2, create cron jobs, modify ~/.openclaw/openclaw.json, read/write local files (~/market-state.json, ~/price-history.jsonl, ~/commands.json), and make network calls to simul8or.com. Writing keys into the OpenClaw config and persistent background execution expand the skill's scope beyond a simple instruction-only helper.
!
Install Mechanism
There is no declared install spec in the registry, but the instructions tell the user to run 'npm install -g simul8or-trader' and install pm2 globally. Pulling and running an unvetted global npm package (and starting it with PM2) is higher risk; the package and its code were not included for review.
!
Credentials
Although registry metadata lists no required environment variables, SKILL.md expects SIMUL8OR_API_KEY and shows placing it into ~/.openclaw/openclaw.json. That is a sensitive credential that is not declared up-front. Storing an API key in a shared config file may expose it to other skills/agents if file permissions or system access are not restricted.
!
Persistence & Privilege
The instructions explicitly tell the user to run the agent under PM2, save a PM2 startup, and add an OpenClaw cron job, which creates a persistent background service. While always:false in metadata, the skill still requests persistent execution and configuration changes, increasing its runtime blast radius.
What to consider before installing
This skill's SKILL.md and the registry data don't line up. Before installing or enabling it: 1) Do not blindly run 'npm install -g simul8or-trader' — inspect the npm package source (or avoid global install) to confirm what code would run. 2) Expect to provide a SIMUL8OR_API_KEY despite the metadata saying none; treat that key as sensitive and consider creating a limited/sandbox key. 3) Back up ~/.openclaw/openclaw.json and restrict its file permissions; consider whether you want credentials stored in that file. 4) Because the instructions start background services (PM2 + cron), prefer testing in an isolated VM or container so any unintended behavior is contained. 5) Verify the simul8or.com endpoints and that the registration flow is legitimate. If you cannot review the npm package code or are uncomfortable with persistent background services and storing an API key in your OpenClaw config, do not install or enable this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97557c81w3wc0gbk4t60fqsf980n03v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments