Is adlai88/polymarket-weather-trader safe?

The SKILL.md Setup Flow explicitly instructs the AI agent to ask the user for their Polymarket wallet private key and store it as WALLET_PRIVATE_KEY in the environment. This normalizes the dangerous pattern of AI agents soliciting private keys from users and creates a replicable social engineering template. Any user who follows this workflow has handed irreversible control of their wallet to the environment.

The skill requires installing simmer-sdk via pip. This package is not included in the repository, cannot be audited here, and receives the user's wallet private key at runtime. The SDK makes network calls to api.simmer.markets and handles all trade signing and execution. A malicious or compromised version on PyPI would silently exfiltrate keys and drain wallets with no detectable change to the skill files.

The skill is published by 'Simmer (@simmer_markets)', who also owns and operates simmer.markets, the simmer-sdk PyPI package, and the api.simmer.markets API endpoint that receives all trade data. Every API call, trade execution, portfolio query, and private key usage flows through infrastructure controlled by the skill author. This creates direct financial incentive to manipulate trade execution, collect credentials, or inflate platform usage statistics.

The skill metadata declares simmer-sdk as a required pip dependency, but the package source is not bundled in this repository. Once installed, this package receives the wallet private key, signs Polymarket transactions, and communicates with external servers. A supply chain attack on the simmer-sdk PyPI package would compromise all skill users transparently.

The skill Setup Flow instructs the agent to store both SIMMER_API_KEY and WALLET_PRIVATE_KEY as environment variables. Environment variables are inherited by all child processes and are readable by any other co-installed skill, subprocess, or tool that has process environment access. This is an insecure credential storage pattern for high-value secrets.

weather_trader.py attempts to import log_trade from 'tradejournal' or 'skills.tradejournal'. If the tradejournal skill is installed, every successful trade calls log_trade() with the trade_id, strategy thesis, confidence score, location, forecast temperature, and target date. The tradejournal skill is not part of this audit and could log, transmit, or expose this data.

The skill executes real Polymarket trades when invoked in --live mode or via its automaton entrypoint. Default configuration allows up to 5 trades per run at up to $2.00 each. The --no-safeguards flag disables all flip-flop, slippage, and time-decay checks. Repeated automatic invocations or misconfiguration could drain a user's USDC balance. The skill also prevents the copytrading skill from liquidating weather positions, removing a potential safety valve.

Once WALLET_PRIVATE_KEY is set in the environment per skill instructions, it remains accessible to all future processes in the session. Any other installed skill that executes shell commands, spawns subprocesses, or reads environment variables can trivially access the private key. This creates a persistent, broad exposure surface for a high-value secret.

The skill's Python scripts can execute buy and sell orders on Polymarket using real user funds. The automaton entrypoint enables automatic execution. While the default mode is dry-run, the SKILL.md promotes --live and --quiet --live combinations for high-frequency automated trading. Financial transaction execution is a high-impact capability that warrants elevated scrutiny.

The skill bundle includes .clawhub/lock.json listing academic-research-hub (v0.1.0) as installed at timestamp 1770957475341 — approximately 9 days before this audit. Normally a .clawhub/lock.json tracks skills installed in a workspace root, not within a skill's own directory. Including this file could confuse the skill manager about what's installed in the current workspace, or could be an artifact of the skill being developed inside a live workspace.

The skill tags all trades with 'sdk:weather' and explicitly documents that this prevents the copytrading skill from selling weather positions. While framed as a feature for portfolio tracking, this mechanism locks positions against any other risk management skill that might otherwise protect the user's capital. It demonstrates deliberate design to operate outside cross-skill safety controls.

Multiple credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed after skill installation at timestamps 1771735092, 1771735099, and 1771735103. The monitoring report confirms all canary files are intact. The batch access pattern and timing (coinciding with ip neigh show and git rev-parse in the audit log) suggest these accesses originate from the OpenClaw monitoring framework, not from skill code.

The skill metadata declares automaton: {managed: true, entrypoint: weather_trader.py}. This means the ClawdBot runtime may automatically invoke weather_trader.py on a schedule or trigger. The default behavior is dry-run, which mitigates immediate financial risk, but the SKILL.md actively promotes enabling --live mode for automated trading.