polymarket-weather-trader

Functionally the skill aligns with its stated purpose (automated weather-based trading via NOAA forecasts and Simmer SDK). The primary security concerns are: (1) requiring users to store raw wallet private keys in environment variables, which significantly raises the risk of credential theft and account takeover if the environment, SDK, or CI is compromised; (2) reliance on a third-party SDK/API (simmer-sdk and api.simmer.markets) without provided source or integrity verification, creating a supply-chain risk where malicious updates could exfiltrate keys or perform unauthorized trades; and (3) autonomous live trading capability increases potential financial impact. I recommend: avoid storing long-term private keys in environment variables; prefer hardware wallets or ephemeral signing if supported; audit and pin the simmer-sdk package, review its source to confirm client-side signing and absence of key exfiltration; add explicit human approval gates for live trades or smaller default caps; and document secure logging and key rotation practices.