polymarket-candle-three-soldiers-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-candle-three-soldiers-trader

Trades crypto 5-min interval markets on Polymarket by detecting Three White Soldiers and Three Black Crows candlestick continuation patterns

A legitimate Polymarket trading bot that detects Three White Soldiers / Three Black Crows candlestick patterns and executes paper or live trades via the simmer-sdk. No malicious indicators found.

Skill Namepolymarket-candle-three-soldiers-trader

Duration28.3s

Enginepi

✓

Safe to install

No action needed. The skill is clean and well-documented. Consider pinning the simmer-sdk version in production for supply-chain stability.

Findings 1 items

Severity	Finding	Location
Low	Unpinned simmer-sdk dependency Supply Chain The simmer-sdk dependency is declared in clawhub.json but without a version pin. This could allow a malicious or compromised future version to be installed. `"pip": ["simmer-sdk"]` → Pin the simmer-sdk to a specific version, e.g., "simmer-sdk==1.2.3"	`clawhub.json:3`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No Read/Write calls in trader.py
Network	`READ`	`READ`	✓ Aligned	Uses SimmerClient (simmer-sdk) for market discovery and trade execution via HTTP…
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution in trader.py
Environment	`READ`	`READ`	✓ Aligned	Only reads SIMMER_* tunables documented in SKILL.md
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No direct database access

File Tree

3 files · 23.8 KB · 595 lines

Python 1f · 411L Markdown 1f · 97L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.8 KB

├─ 📝 SKILL.md Markdown 97L · 6.2 KB

└─ 🐍 trader.py Python 411L · 15.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip	No	Version not pinned in clawhub.json -- supply-chain stability concern only

Security Positives

✓ No shell execution, subprocess, or os.system calls -- purely SDK-based

✓ No obfuscation, base64 encoding, or anti-analysis patterns

✓ No sensitive file access (~/.ssh, ~/.aws, .env, etc.)

✓ No credential exfiltration -- SIMMER_API_KEY used only for SimmerClient auth

✓ No data exfiltration to external IPs -- all API calls go to Simmer/Polymarket endpoints

✓ Paper trading is the safe default; --live flag required for real trades

✓ Comprehensive risk parameters documented and exposed as UI tunables

✓ Clear doc-to-code alignment: SKILL.md accurately describes trader.py behavior

✓ No hidden instructions, comments, or shadow functionality

✓ No persistence mechanisms (cron, startup hooks) unless explicitly configured in Simmer UI

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives