polymarket-macro-inflation-chain-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-macro-inflation-chain-trader

Three-step macro chain reaction trader for Polymarket. Chains commodity pressure through inflation and rate expectations to equity-threshold markets.

A legitimate Polymarket macro trading skill with no malicious behavior detected. Clean Python codebase with paper-trading safety defaults, clear credential handling, and well-documented trading logic.

Skill Namepolymarket-macro-inflation-chain-trader

Duration32.8s

Enginepi

✓

Safe to install

No action needed. Skill is safe to use. Optionally pin the simmer-sdk version for reproducible builds.

Findings 1 items

Severity	Finding	Location
Info	simmer-sdk dependency not version-pinned Supply Chain The skill depends on simmer-sdk from PyPI without a pinned version in clawhub.json. While the publisher ([email protected]) is known and documented in SKILL.md with a source-review recommendation, unpinned dependencies carry supply chain risk. `"requires": {"pip": ["simmer-sdk"]}` → Pin to a specific version: "simmer-sdk>=1.0.0,<2.0.0" or exact version. SKILL.md already recommends reviewing the source before providing live credentials, which is good practice.	`clawhub.json:5`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No filesystem access detected in code
Network	`NONE`	`NONE`	—	All network calls go through simmer-sdk SimmerClient
Shell	`NONE`	`NONE`	—	No subprocess/os.system calls found
Environment	`READ`	`READ`	✓ Aligned	trader.py:37-50 reads SIMMER_* env vars via os.environ.get()
Skill Invoke	`NONE`	`NONE`	—	No skill invocation detected
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser access
Database	`NONE`	`NONE`	—	No database access

1 findings

📧

Info Email 邮箱地址

[email protected]

SKILL.md:146

File Tree

3 files · 29.0 KB · 745 lines

Python 1f · 486L Markdown 1f · 148L JSON 1f · 111L

├─ 📋 clawhub.json JSON 111L · 2.4 KB

├─ 📝 SKILL.md Markdown 148L · 7.0 KB

└─ 🐍 trader.py Python 486L · 19.6 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip (PyPI)	No	Version not pinned. Publisher documented ([email protected]), GitHub source linked in SKILL.md

Security Positives

✓ No subprocess, os.system, or any shell execution detected

✓ No credential theft: only reads SIMMER_API_KEY from environment, no harvesting of ~/.ssh, ~/.aws, or other sensitive paths

✓ No data exfiltration: no external network calls besides the simmer-sdk API client

✓ No obfuscation: clean, readable Python with no base64, eval, or anti-analysis techniques

✓ No persistence mechanisms: no cron jobs, startup hooks, or backdoor installation

✓ Paper trading is the safe default (venue='sim'), live trading requires explicit --live flag

✓ Flip-flop and slippage safeguards implemented for trading safety

✓ Spread and days-to-resolution gates prevent low-liquidity trades

✓ SKILL.md accurately describes the skill's behavior with clear safety disclaimers

✓ Dependency publisher is documented with PyPI and GitHub links, with source-review recommendation for live credentials

✓ Skill does not download or install any external scripts at runtime

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives