X-ray any Polymarket wallet — skill level, entry quality, bot detection, and edge analysis. Queries Polymarket's public APIs, no authentication needed. Inspi...
Security Analysis
medium confidenceThe skill mostly matches its stated Polymarket analysis purpose, but included files and docs contradict the "no-auth" claim and reference a Simmer API key and endpoints that are not declared — this inconsistency warrants caution.
The main script (wallet_xray.py) uses only public Polymarket data endpoints (no auth), which matches the description. However README and scripts/status.py refer to Simmer's private API and require a SIMMER_API_KEY; the skill metadata declares no required env vars. The presence of a helper that needs an API key is disproportionate to the core "public data, no auth" claim and is unexplained.
SKILL.md describes only public-data analysis steps. The Quick Commands include scripts/status.py which, when invoked, will read the SIMMER_API_KEY environment variable and call a private Simmer API. The instructions therefore implicitly encourage running code that accesses a private account API even though the skill claims no authentication is needed. There is no runtime guidance about this credential or whether the helper is optional.
There is no automatic install spec (instruction-only), so nothing is downloaded or executed by an installer. README suggests pip installing 'simmer-sdk' and 'requests' but this is advisory only. Lack of an install step lowers automatic risk, but users who follow README may install additional packages — this is expected but should be explicit in metadata.
Registry metadata lists no required env vars, yet scripts/status.py requires SIMMER_API_KEY (sensitive bearer token) and README documents exporting SIMMER_API_KEY. Requesting that secret is not proportional to the stated public-data analysis unless the user intends to run the Simmer-specific helper. The skill should declare this env var or make the helper optional and clearly documented.
The skill does not request always:true, does not auto-start, and does not modify other skills or system configuration. It can be invoked by the agent but there is no elevated persistence or privilege escalation in the package.
Guidance
This skill's core analysis (wallet_xray.py) appears coherent: it queries Polymarket public endpoints and computes forensic metrics without authentication. However, the bundle also includes a helper (scripts/status.py) and README instructions that require a SIMMER_API_KEY and call api.simmer.markets — yet the skill metadata declares no env vars. Before installing or running anything: - Treat SIMMER_API_KEY as sensitive: do not set it or run scripts/status.py unless you understand and trust the Simmer endpoint and the owner. The skill will not automatically read your env vars, but the helper will if you run it. - Ask the publisher to clarify whether the Simmer helper is optional and update the metadata to declare any required credentials. The lack of a homepage and an unknown source/origin increases risk; prefer packages with clear authorship and published sources. - Inspect and run wallet_xray.py in a sandbox or development environment first (no secrets) to verify behavior. Search the code for any other undisclosed endpoints before providing credentials. - If you intend to use the Simmer helper, rotate any API key you test with and grant minimal privileges. Consider requesting the author to separate the public analysis tool from account-specific helpers so the credential surface is explicit. If the author confirms the Simmer helper is optional and updates the metadata/documentation so the required env var is declared, this would reduce the concern. Conversely, if the Simmer endpoint is required for normal operation but not declared, treat that as a stronger warning.
Latest Release
v1.0.4
AgentSkills format — moved platform config to clawhub.json for cross-agent compatibility
More by @adlai88
Published by @adlai88 on ClawHub
