Auto Trading Winner
PassAudited by VirusTotal on May 3, 2026.
Overview
Type: OpenClaw Skill Name: auto-trading-winner Version: 1.0.0 The skill is a legitimate trading bot template designed for prediction markets like Kalshi and Polymarket using the simmer-sdk. It implements market discovery, volume-based ranking, and automated or manual trade execution as described in trade_skill.py and SKILL.md. While it references sensitive environment variables such as SOLANA_PRIVATE_KEY and WALLET_PRIVATE_KEY, these are standard requirements for the stated purpose of cross-venue trading, and there is no evidence of data exfiltration, obfuscation, or malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured for auto/live use, the agent could place trades on selected markets without reviewing each individual order with the user.
This documents automatic candidate selection and live order capability. For a financial/trading skill, that is high-impact authority and the artifacts do not clearly bound each order with a hard spend cap or per-trade human approval.
In `RUN_MODE=auto`, starts from rank `1` automatically ... If the chosen candidate fails ... falls through to the next ranked candidate ... `SIMMER_ENABLE_LIVE`: Set to `true` to allow live order placement.
Use manual and dry-run modes by default. Before enabling live auto mode, add or verify explicit max position size, daily loss/spend limits, venue/account allowlists, and per-order confirmation or alerting.
The skill may continue running periodically after installation and could repeatedly evaluate or execute trades if live settings are enabled.
The skill is configured for recurring managed execution every 30 minutes. In combination with trading authority, scheduled persistence materially increases the impact of misconfiguration or a bad strategy signal.
"cron": "*/30 * * * *", "automaton": { "managed": true, "entrypoint": "trade_skill.py" }Disable or remove the cron/automaton configuration unless you explicitly want scheduled trading, and ensure live credentials are only available in a tightly limited environment.
A user may believe a dry-run cannot affect their account, while redemption/settlement actions may still be attempted depending on the Simmer SDK behavior.
The visible code calls an auto-redeem API and prints transaction hashes, while the documentation emphasizes that dry-run is the default. The artifacts do not clearly show that auto-redeem is gated by the same live/dry-run controls.
for result in client.auto_redeem(): ... print(f"redeemed market={result.get('market_id')} tx={result.get('tx_hash')}")Document whether auto_redeem performs live account actions, add an explicit opt-in or skip flag, and gate redemption behind the same live/confirmation controls used for trading.
Providing these credentials can let the skill interact with trading venues or wallet flows associated with your account.
The skill declares a required Simmer API key and optional wallet/private keys. These are purpose-aligned for trading, but they are sensitive credentials with account or wallet authority.
"SIMMER_API_KEY" ... "SOLANA_PRIVATE_KEY" ... "WALLET_PRIVATE_KEY"
Use dedicated low-balance accounts or limited-scope keys where possible, avoid supplying private keys unless strictly needed, and rotate credentials if you uninstall or stop trusting the skill.
A future or unexpected dependency version could change trading or credential-handling behavior.
The runtime dependency is unpinned. That is common for integrations, but it matters more for a skill that handles trading credentials and live order placement.
"requires": { "pip": ["simmer-sdk"], "env": ["SIMMER_API_KEY"] }Pin and review the simmer-sdk version before live use, and install in an isolated environment.