Skillv1.0.0

ClawScan security

Prediction Fair Value Template · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 30, 2026, 2:58 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared requirements and code match its stated purpose (scanning Simmer markets and optionally placing trades); nothing indicates hidden exfiltration or unrelated credential requests, but review before enabling live/autonomous trading.
Guidance: This skill appears coherent for trading on Simmer. Before installing: 1) Only provide a Simmer API key you trust and do not reuse high-privilege keys elsewhere. 2) Keep live mode disabled (default dry-run) while testing — run locally and inspect printed reasoning and sized amounts. 3) Verify the sizing logic and edge thresholds to ensure they match your risk tolerance (the template falls back to a $100 bankroll if balances can't be read). 4) Note WALLET_PRIVATE_KEY is declared but unused; if you plan to use external-wallet mode, confirm how keys are handled. 5) Review and vet the simmer-sdk package (pip) and limit the API key scope if possible. 6) Only enable automated live trading once you have verified behavior over multiple dry runs.

Purpose & Capability: okName/description, declared env (SIMMER_API_KEY), and pip dependency (simmer-sdk) align with a Simmer trading template. The code calls SimmerClient methods and uses the SDK for discovery, sizing, context checks, and trading — consistent with the stated purpose.
Instruction Scope: okSKILL.md instructions match what trade_skill.py does: discovery, sizing, context checks, dry-run default, and opt-in live trading. The runtime instructions do not direct the agent to read unrelated system files or to send data to endpoints other than the Simmer API via the SDK.
Install Mechanism: okNo arbitrary downloads or extract operations. The manifest lists a pip dependency (simmer-sdk), which is appropriate for a Python SDK-based skill.
Credentials: noteOnly SIMMER_API_KEY is required (declared as primaryEnv). An optional WALLET_PRIVATE_KEY is declared in metadata but is not referenced in the code — this is unnecessary but not actively dangerous. SIMMER_ENABLE_LIVE and other strategy vars are proportional to a trading skill.
Persistence & Privilege: noteThe skill is configured for automation (cron + automaton.managed entrypoint) so it can be run periodically. always:false, so it won't be force-included. Be cautious: if you enable SIMMER_ENABLE_LIVE or run with --live, the automation can place live trades autonomously.