Generate complete, installable OpenClaw trading skills from natural language strategy descriptions. Use when your human wants to create a new trading strateg...
Security Analysis
high confidenceThe skill claims to be an instruction-only 'skill builder' but ships scripts and a clawhub.json that require SIMMER_API_KEY and simmer-sdk; the package's declared requirements/data are inconsistent with the files and could lead you to expose an API key or run networked code you didn't expect.
The skill's stated purpose is code generation (no need to talk to Simmer). However the repository includes a clawhub.json and example scripts that reference SIMMER_API_KEY and the simmer-sdk package. The builder itself does not need an API key to produce code, so embedding / advertising a required SIMMER_API_KEY and a runtime dependency is disproportionate and inconsistent.
SKILL.md is a detailed generator spec and mostly stays on-task (generate skill folders, copy templates, fetch external API docs when the generated skill will use them). It does allow the agent to 'web-fetch' external API docs when needed — reasonable for generation, but this gives the agent network access to arbitrary docs/resources during generation; the instructions do not instruct exfiltration of secrets.
No install spec (instruction-only) and included files are local examples and validators. There are no remote downloads or extracted archives in the package, which keeps install risk low.
Registry metadata lists no required env vars, but the included clawhub.json and example scripts expect SIMMER_API_KEY and pip dependency 'simmer-sdk'. The references also document WALLET_PRIVATE_KEY / SOLANA_PRIVATE_KEY as required for real venues (these are only mentioned in docs, not required by this package). The mismatch between declared requirements and file contents is a red flag: running included scripts (e.g., scripts/status.py) would require your SIMMER_API_KEY.
The skill does not request persistent/always-on privileges (always:false) and does not modify other skills. No automaton entrypoint is defined in the provided clawhub.json for the builder itself.
Guidance
This package is a code-generator for trading skills and includes example scripts and a validator. However, its files contradict the registry metadata: the repo contains clawhub.json and scripts that reference SIMMER_API_KEY and simmer-sdk even though the skill lists no required env vars. Before installing or running anything: 1) Inspect clawhub.json, SKILL.md and scripts/status.py/validate_skill.py locally; 2) Do not set or export your SIMMER_API_KEY or any private wallet keys in your environment for this skill unless you explicitly want the skill to use your account — prefer test/paper keys; 3) Run the validator locally (python scripts/validate_skill.py) and review any generated skill folder before installing it into your agent; 4) If you allow the agent to web-fetch external API docs during generation, prefer running it in an isolated environment (no sensitive env vars) and review outbound network requests; 5) Be cautious about any generated skill that asks for WALLET_PRIVATE_KEY or SOLANA_PRIVATE_KEY — those are high-value secrets for real trading and should only be provided to audited code you fully trust.
Latest Release
v1.1.0
Rename venue simmer to sim
More by @adlai88
Published by @adlai88 on ClawHub
