Trade Kalshi weather markets using NOAA forecasts via Simmer SDK and DFlow on Solana. Port of the popular polymarket-weather-trader. Use when user wants to t...
Security Analysis
medium confidenceThe skill is a coherent Kalshi weather-trading bot that legitimately needs a Simmer API key and a Solana private key to place live trades, but there are a few metadata/instruction inconsistencies and sensitive key-handling choices you should review before installing.
The skill's code, SKILL.md, and clawhub.json consistently describe a Simmer/DFlow-on-Solana weather trading bot and require SIMMER_API_KEY and SOLANA_PRIVATE_KEY — both are proportionate for live trading. One inconsistency: the top-level 'Requirements' block in the supplied registry summary said 'Required env vars: none', but clawhub.json and the SKILL.md explicitly require those two credentials. This appears to be a metadata omission, not a functional mismatch.
The runtime instructions stay within trading scope (fetch Simmer markets, NOAA forecasts, sign trades with the Solana key). They instruct the agent to ask the user for SIMMER_API_KEY and SOLANA_PRIVATE_KEY and to store them in environment variables. Storing a private key in an env var is sensitive — the instructions do not offer safer alternatives (hardware wallet, signing service). The code also optionally calls a trade-journal hook (log_trade) if a tradejournal package is present, which could send trade data externally depending on that package.
There is no install spec in the skill bundle (instruction-only install), but clawhub.json declares a pip dependency on 'simmer-sdk'. That dependency is expected for the stated purpose. Because there's no automated install step included, the consumer or platform will need to install simmer-sdk themselves; verify the package origin and contents before installing into an environment that holds secrets or funds.
The skill requires SIMMER_API_KEY and SOLANA_PRIVATE_KEY which are necessary for trading. However, asking users to place their Solana private key directly into environment variables is high-risk (env vars can leak via logs, process lists, backups, or misconfigured host). No unrelated credentials are requested. Also note the skill may read other environment variables (TRADING_VENUE, AUTOMATON_MAX) and writes/loads config via simmer_sdk.skill (which may persist settings to disk).
The skill is not always-enabled and does not request elevated platform privileges. It is marked autostart: false in the metadata. The automaton entrypoint is the skill script itself, which is expected. No changes to other skills' configs are observed.
Guidance
This skill appears to do what it says: automated weather trading on Kalshi via Simmer and Solana. Before installing: 1) Expect to provide SIMMER_API_KEY and your SOLANA_PRIVATE_KEY for live trading — treat the Solana key as extremely sensitive. Prefer using a dedicated trading wallet with limited funds or an external signing service/hardware wallet rather than your main wallet. 2) Verify and install the simmer-sdk package from PyPI/GitHub in an isolated environment; review its code if possible. 3) Run the skill in dry-run mode first and review logs to ensure secrets aren't exposed. 4) Be cautious about enabling cron/autostart; keep autostart disabled until you’ve audited behavior. 5) Note the optional trade-journal integration (log_trade) — confirm what that package does before installing, since it could transmit trade data. 6) The registry metadata had a mismatch about required env vars (likely an omission) — confirm required credentials with the skill author or repository before providing keys.
Latest Release
v1.0.0
Kalshi Weather Trader v1.0.0 - Initial release: trade Kalshi weather markets using NOAA forecasts via Simmer SDK and DFlow on Solana. - Supports automated trading, market discovery, NOAA forecast parsing, and live trade execution. - Customizable entry/exit thresholds, position sizing, city selection, and other trading parameters. - Includes safeguards for slippage, KYC, time decay, and flip-flop detection. - Provides commands to check balances, positions, and perform dry runs or live trades. - Requires Simmer API key, Solana private key, KYC verification, and wallet funding to operate.
More by @adlai88
Published by @adlai88 on ClawHub
