Scan Report
5 /100
polymarket-candle-timeframe-mismatch-trader
Multi-timeframe analysis for crypto Up or Down markets on Polymarket. Detects when 5-minute candle consensus diverges from the hourly market and trades convergence.
A legitimate Polymarket multi-timeframe trading strategy using a documented SDK with safe paper-trading defaults and no malicious behavior detected.
Safe to install
This skill is safe to use. No action needed beyond normal credential hygiene for SIMMER_API_KEY.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | trader.py:1-453 |
| Network | NONE | READ | ✓ Aligned | trader.py:49-53 -- calls SimmerClient which makes API calls; no direct HTTP |
| Shell | NONE | NONE | — | trader.py -- no subprocess/os.system/shell invocation |
| Environment | READ | READ | ✓ Aligned | trader.py:44-52 -- reads SIMMER_API_KEY and tuning vars |
| Skill Invoke | NONE | NONE | — | N/A |
| Clipboard | NONE | NONE | — | N/A |
| Browser | NONE | NONE | — | N/A |
| Database | NONE | NONE | — | N/A |
File Tree
3 files · 24.3 KB · 637 lines Python 1f · 453L
Markdown 1f · 97L
JSON 1f · 87L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | * | pip | No | Version not pinned in code; pulls from PyPI |
Security Positives
✓ SKILL.md provides comprehensive documentation: strategy logic, credential requirements, safe defaults, and risk parameters
✓ Paper trading (venue='sim') is the hardcoded default; explicit --live flag required for real Polymarket trades
✓ No subprocess, os.system, shell commands, or any form of arbitrary code execution
✓ No direct network HTTP requests; all API traffic goes through the documented simmer-sdk library
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.) or credential harvesting beyond the declared SIMMER_API_KEY
✓ No obfuscation (no base64, no eval, no encoded strings)
✓ No hidden functionality; code matches stated behavior exactly
✓ Autostart disabled, cron null -- nothing runs automatically
✓ Dependency is a well-known published PyPI package (simmer-sdk) with version pinning available
✓ All risk parameters are declared as tunables in clawhub.json with appropriate ranges