中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
polymarket-climate-trader
Trades Polymarket prediction markets on weather extremes, climate milestones, natural disasters, and agricultural outcomes.
A legitimate Polymarket climate prediction market trading bot. No malicious behavior, credential harvesting, obfuscation, or undeclared capabilities detected.
技能名称polymarket-climate-trader
分析耗时40.0s
引擎pi
可以安装
No action needed. The skill is safe to use. Optionally pin the simmer-sdk dependency for supply-chain hygiene.

安全发现 2 项

严重性 安全发现 位置
低危
simmer-sdk version not pinned 供应链
clawhub.json declares 'simmer-sdk' without a version pin. An attacker who compromises PyPI or the simmer-markets account could push a malicious update. The risk is mitigated by the fact that simmer-sdk is a first-party, actively maintained package published by [email protected].
"pip": ["simmer-sdk"]
→ Pin to a specific version, e.g., "simmer-sdk>=1.0.0,<2.0.0", and verify the hash if high-security posture is required.
 clawhub.json:6
低危
Dead import in trader.py code_quality
The import 'from datetime import datetime, timezone' includes 'timezone' which is never used in the file. This is a minor code quality issue with no security impact.
from datetime import datetime, timezone
→ Remove 'timezone' from the import: 'from datetime import datetime'
 trader.py:5
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file read/write calls in trader.py
网络访问 READ READ ✓ 一致 SimmerClient trades via HTTPS to polymarket.com; declared in SKILL.md as Polymar…
命令执行 NONE NONE No subprocess, os.system, or shell execution calls
环境变量 READ READ ✓ 一致 trader.py reads only SIMMER_API_KEY + SIMMER_* tunables; no iteration over os.en…
技能调用 NONE NONE No nested skill invocations
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
5 项发现
🔗
中危 外部 URL 外部 URL
https://www.ncdc.noaa.gov/cdo-web/
SKILL.md:84
🔗
中危 外部 URL 外部 URL
https://open-meteo.com/
SKILL.md:85
🔗
中危 外部 URL 外部 URL
https://cds.climate.copernicus.eu/
SKILL.md:86
🔗
中危 外部 URL 外部 URL
https://forecastex.com/
SKILL.md:87
📧
提示 邮箱 邮箱地址
[email protected]
SKILL.md:139

目录结构

3 文件 · 17.7 KB · 457 行
Python 1f · 243L Markdown 1f · 141L JSON 1f · 73L
├─ 📋 clawhub.json JSON 73L · 1.2 KB
├─ 📝 SKILL.md Markdown 141L · 6.5 KB
└─ 🐍 trader.py Python 243L · 10.0 KB

依赖分析 1 项

包名版本来源已知漏洞备注
simmer-sdk * pip Version not pinned — first-party PyPI package from Simmer Markets

安全亮点

✓ Paper trading is the safe default — real trades require explicit --live flag
✓ No shell execution, no subprocess, no os.system calls
✓ No credential harvesting — only reads SIMMER_API_KEY and SIMMER_* tunables (not all of os.environ)
✓ No obfuscation — all code is human-readable plain Python
✓ No hidden functionality — SKILL.md accurately describes all behavior
✓ Safeguards: spread gate, days-to-resolution gate, flip-flop discipline, slippage check
✓ Position sizing is capped at MAX_POSITION ($20–25 by default), limiting financial damage from any bug
✓ SimmerClient is a first-party SDK from a named vendor ([email protected])
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files, etc.)
✓ External URLs (NOAA, Open-Meteo, Copernicus) are all legitimate, public, free data sources
✓ Autostart is false; cron is null — skill will not auto-execute on install