polymarket-climate-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-climate-trader

Trades Polymarket prediction markets on weather extremes, climate milestones, natural disasters, and agricultural outcomes.

A legitimate Polymarket climate prediction market trading bot. No malicious behavior, credential harvesting, obfuscation, or undeclared capabilities detected.

Skill Namepolymarket-climate-trader

Duration40.0s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use. Optionally pin the simmer-sdk dependency for supply-chain hygiene.

Findings 2 items

Severity	Finding	Location
Low	simmer-sdk version not pinned Supply Chain clawhub.json declares 'simmer-sdk' without a version pin. An attacker who compromises PyPI or the simmer-markets account could push a malicious update. The risk is mitigated by the fact that simmer-sdk is a first-party, actively maintained package published by [email protected]. `"pip": ["simmer-sdk"]` → Pin to a specific version, e.g., "simmer-sdk>=1.0.0,<2.0.0", and verify the hash if high-security posture is required.	`clawhub.json:6`
Low	Dead import in trader.py code_quality The import 'from datetime import datetime, timezone' includes 'timezone' which is never used in the file. This is a minor code quality issue with no security impact. `from datetime import datetime, timezone` → Remove 'timezone' from the import: 'from datetime import datetime'	`trader.py:5`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file read/write calls in trader.py
Network	`READ`	`READ`	✓ Aligned	SimmerClient trades via HTTPS to polymarket.com; declared in SKILL.md as Polymar…
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution calls
Environment	`READ`	`READ`	✓ Aligned	trader.py reads only SIMMER_API_KEY + SIMMER_* tunables; no iteration over os.en…
Skill Invoke	`NONE`	`NONE`	—	No nested skill invocations
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

5 findings

🔗

Medium External URL 外部 URL

https://www.ncdc.noaa.gov/cdo-web/

SKILL.md:84

🔗

Medium External URL 外部 URL

https://open-meteo.com/

SKILL.md:85

🔗

Medium External URL 外部 URL

https://cds.climate.copernicus.eu/

SKILL.md:86

🔗

Medium External URL 外部 URL

https://forecastex.com/

SKILL.md:87

📧

Info Email 邮箱地址

[email protected]

SKILL.md:139

File Tree

3 files · 17.7 KB · 457 lines

Python 1f · 243L Markdown 1f · 141L JSON 1f · 73L

├─ 📋 clawhub.json JSON 73L · 1.2 KB

├─ 📝 SKILL.md Markdown 141L · 6.5 KB

└─ 🐍 trader.py Python 243L · 10.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip	No	Version not pinned — first-party PyPI package from Simmer Markets

Security Positives

✓ Paper trading is the safe default — real trades require explicit --live flag

✓ No shell execution, no subprocess, no os.system calls

✓ No credential harvesting — only reads SIMMER_API_KEY and SIMMER_* tunables (not all of os.environ)

✓ No obfuscation — all code is human-readable plain Python

✓ No hidden functionality — SKILL.md accurately describes all behavior

✓ Safeguards: spread gate, days-to-resolution gate, flip-flop discipline, slippage check

✓ Position sizing is capped at MAX_POSITION ($20–25 by default), limiting financial damage from any bug

✓ SimmerClient is a first-party SDK from a named vendor ([email protected])

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files, etc.)

✓ External URLs (NOAA, Open-Meteo, Copernicus) are all legitimate, public, free data sources

✓ Autostart is false; cron is null — skill will not auto-execute on install

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives