Find markets where Simmer's AI consensus diverges from the real market price, then trade on the mispriced side using Kelly sizing. Scans for divergence, chec...
Security Analysis
high confidenceThe skill's code and packaging largely match its trading description, but there are multiple inconsistencies in declared requirements, environment variable names/defaults, and config metadata that make the bundle sloppy and potentially risky if you don't review secrets and endpoints first.
The skill is a trading scanner + executor using the Simmer SDK and an API key—this aligns with its stated purpose. The code requires simmer-sdk and SIMMER_API_KEY which are appropriate for the stated function. However, the registry summary at the top claimed "Required env vars: none" while clawhub.json and the code require SIMMER_API_KEY and pip:simmer-sdk; this metadata mismatch is inconsistent and should be corrected before trusting install metadata.
SKILL.md and ai_divergence.py focus on scanning and executing trades and include safeguards (fee checks, flip-flop detection, position/daily-budget checks). But the files also write a local daily_spend.json, call internal SDK endpoints with get_client()._request, and scripts/status.py will make HTTP requests to whatever SIMMER_API_URL is set to. The instructions and manifest do not consistently document all env vars and endpoint overrides, giving the agent more network I/O surface than the top-level registry metadata implies.
There is no arbitrary download; the only external dependency is the simmer-sdk pip package declared in clawhub.json. Using a public pip package is expected for this functionality and lower risk than arbitrary URL-based installs, but you should verify the package source/version before installing.
The skill legitimately needs one API credential (SIMMER_API_KEY). However, the package contains multiple inconsistent env-var names/defaults across SKILL.md, ai_divergence.py, and clawhub.json (e.g., SIMMER_DIVERGENCE_MAX_BET vs SIMMER_DIVERGENCE_MAX_BET_USD, SIMMER_DIVERGENCE_MIN_EDGE vs SIMMER_DIVERGENCE_MIN). These mismatches increase the chance of misconfiguration. Also scripts/status.py honors SIMMER_API_URL, so an incorrectly set endpoint could cause your API key to be sent to a non-official host — a risk if you copy/paste envs from unclear metadata.
The skill does not request always:true or system-wide privileges. It writes a local daily_spend.json and may update its own config via the SDK helper functions; it does not attempt to modify other skills or global agent settings. Automaton.managed is true in clawhub.json (it has an entrypoint) but autostart is false.
Guidance
This package is plausibly what it claims (an automated trading scanner) but it contains sloppy packaging and mismatched metadata that could cause misconfiguration or accidental leakage of your API key. Before installing: 1) Inspect and confirm the simmer-sdk pip package/version and its source (review its repository if you can). 2) Do NOT set SIMMER_API_URL to an untrusted host (scripts/status.py will send your API key there). 3) Use a restricted/test API key if Simmer supports it, and run the skill in dry-run mode (--json or without --live) first. 4) Fix or reconcile env var names in your environment (check code expects SIMMER_DIVERGENCE_MAX_BET, SIMMER_DIVERGENCE_MIN_EDGE, etc.) so you don't accidentally give it higher privileges/limits than intended. 5) Review daily_spend.json location and ensure the agent user has no unexpected write permissions. 6) If you plan to enable autonomous runs, audit the simmer-sdk behavior for network calls and credentials handling. If you are not comfortable doing these checks, treat this skill as untrusted.
Latest Release
v2.1.0
Rename venue simmer to sim
More by @adlai88
Published by @adlai88 on ClawHub
