Mirror positions from top Polymarket traders using Simmer API. Size-weighted aggregation across multiple wallets.
Security Analysis
medium confidenceThe skill is mostly coherent for copytrading via the Simmer API, but there are metadata/inventory inconsistencies and it will transmit wallet addresses and can execute real trades using your SIMMER_API_KEY — review before installing and start in dry-run/paper mode.
The code and SKILL.md implement Polymarket copytrading via the Simmer SDK (fetch wallets, aggregate, execute trades), which matches the skill's stated purpose. However, registry-level metadata in the provided header claimed no required environment variables while the included clawhub.json and code require SIMMER_API_KEY and a pip dependency (simmer-sdk). This mismatch is an incoherence in the packaging/metadata (not necessarily malicious) and should be corrected/understood before use.
Runtime instructions and scripts limit their activity to Simmer SDK interactions (fetch portfolio/positions, post to /api/sdk/copytrading/execute, execute trades, import markets, set risk monitors). This is within the advertised purpose. Important operational consequence: the skill will send provided wallet addresses and configuration to api.simmer.markets (server-side copytrading executes there). There are no instructions to read arbitrary local secrets or unrelated system files, but the skill does reference a local config path and environment variables for settings.
There is no remote download URL; the manifest indicates a pip dependency on 'simmer-sdk' (clawhub.json). Installing simmer-sdk from PyPI is the expected way to enable the SDK, but pip packages can run arbitrary code on install — users should verify the simmer-sdk package source and version. The skill itself is instruction + included Python scripts (no opaque remote installer).
The skill requires SIMMER_API_KEY (declared in clawhub.json and checked at runtime). That credential is proportionate to a trading integration but is powerful: it allows the skill to query portfolio/positions and to place real trades (depending on 'venue' and the '--live' flag). The earlier top-level metadata incorrectly listed no required env vars, which is misleading. The code also respects other env vars (TRADING_VENUE, SIMMER_COPYTRADING_* tunables, AUTOMATON_MAX_BET), which are reasonable, but the primary concern is that providing SIMMER_API_KEY grants trading authority — treat it like a privileged secret.
The skill is not set to always:true and is not autostarting. It is automaton-managed with an entrypoint but autostart is false. It does not request elevated system privileges or modify other skills' configs. Autonomous invocation is allowed (platform default), so be aware the agent could call the skill during operation, but that is expected functionality for a trading skill.
Guidance
This skill genuinely implements copytrading through the Simmer API, but before installing: (1) understand SIMMER_API_KEY is required and can be used to place real trades — only provide it if you trust simmer.markets and want the agent to be able to trade; (2) start with --dry-run and use 'venue=sim' (paper $SIM) to observe behavior before enabling --live; (3) verify the simmer-sdk package source/version (pip package runs code at install); (4) note the packaging/metadata inconsistency (registry said no env required but clawhub.json requires SIMMER_API_KEY) — this should be clarified by the publisher; (5) consider using a limited/revocable API key or monitoring/revoking the key if unexpected trades occur.
Latest Release
v1.5.4
- Bumped version to 1.5.4 in SKILL.md. - Clarified that, by default, only buys execute—use `--rebalance` or `--whale-exits` for selling positions. - No other functional or structural changes noted.
More by @adlai88
Published by @adlai88 on ClawHub
