polymarket-macro-inflation-chain-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-macro-inflation-chain-trader

Three-step macro chain reaction trader for Polymarket. Chains commodity pressure through inflation and rate expectations to equity-threshold markets.

A legitimate Polymarket macro trading skill with no malicious behavior detected. Clean Python codebase with paper-trading safety defaults, clear credential handling, and well-documented trading logic.

技能名称polymarket-macro-inflation-chain-trader

分析耗时32.8s

引擎pi

✓

可以安装

No action needed. Skill is safe to use. Optionally pin the simmer-sdk version for reproducible builds.

安全发现 1 项

严重性	安全发现	位置
提示	simmer-sdk dependency not version-pinned 供应链 The skill depends on simmer-sdk from PyPI without a pinned version in clawhub.json. While the publisher ([email protected]) is known and documented in SKILL.md with a source-review recommendation, unpinned dependencies carry supply chain risk. `"requires": {"pip": ["simmer-sdk"]}` → Pin to a specific version: "simmer-sdk>=1.0.0,<2.0.0" or exact version. SKILL.md already recommends reviewing the source before providing live credentials, which is good practice.	`clawhub.json:5`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem access detected in code
网络访问	`NONE`	`NONE`	—	All network calls go through simmer-sdk SimmerClient
命令执行	`NONE`	`NONE`	—	No subprocess/os.system calls found
环境变量	`READ`	`READ`	✓ 一致	trader.py:37-50 reads SIMMER_* env vars via os.environ.get()
技能调用	`NONE`	`NONE`	—	No skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

1 项发现

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:146

目录结构

3 文件 · 29.0 KB · 745 行

Python 1f · 486L Markdown 1f · 148L JSON 1f · 111L

├─ 📋 clawhub.json JSON 111L · 2.4 KB

├─ 📝 SKILL.md Markdown 148L · 7.0 KB

└─ 🐍 trader.py Python 486L · 19.6 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip (PyPI)	否	Version not pinned. Publisher documented ([email protected]), GitHub source linked in SKILL.md

安全亮点

✓ No subprocess, os.system, or any shell execution detected

✓ No credential theft: only reads SIMMER_API_KEY from environment, no harvesting of ~/.ssh, ~/.aws, or other sensitive paths

✓ No data exfiltration: no external network calls besides the simmer-sdk API client

✓ No obfuscation: clean, readable Python with no base64, eval, or anti-analysis techniques

✓ No persistence mechanisms: no cron jobs, startup hooks, or backdoor installation

✓ Paper trading is the safe default (venue='sim'), live trading requires explicit --live flag

✓ Flip-flop and slippage safeguards implemented for trading safety

✓ Spread and days-to-resolution gates prevent low-liquidity trades

✓ SKILL.md accurately describes the skill's behavior with clear safety disclaimers

✓ Dependency publisher is documented with PyPI and GitHub links, with source-review recommendation for live credentials

✓ Skill does not download or install any external scripts at runtime