中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
polymarket-twitter-sentiment-spike-trader
Detects crisis/news spikes across Polymarket markets and adjusts expected posting rates upward for post-count bins. Trades higher bins when spike is detected.
A legitimate Polymarket trading bot that detects crisis signals from Polymarket markets and adjusts position sizing. No malicious behavior observed; full paper-trading safety default.
技能名称polymarket-twitter-sentiment-spike-trader
分析耗时39.2s
引擎pi
可以安装
No action required. This is a clean, well-documented trading strategy skill. The SIMMER_API_KEY is scoped to the Simmer/Polymarket API and the skill defaults to paper trading with no live trading without explicit --live flag.

安全发现 1 项

严重性 安全发现 位置
提示
Capability matrix declares shell/filesystem permissions not used 文档欺骗
The pre-scan capability mapping lists Read→filesystem:READ and Bash→shell:WRITE as declared permissions, but no scripts/ directory exists and trader.py contains zero shell calls, subprocess, or direct file I/O. This is a minor doc-to-permission mismatch with no security impact.
capability matrix in pre-scan
→ Clarify in SKILL.md that no direct filesystem or shell access is used — all I/O flows through the simmer-sdk API.
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 READ NONE ✓ 一致 trader.py does not open/read/write any files directly; all data flows through Si…
网络访问 READ READ ✓ 一致 trader.py:94-104 — client.find_markets() and client.get_markets() call Polymarke…
命令执行 WRITE NONE ✓ 一致 No subprocess, no os.system, no shell invocation in trader.py; no scripts/ direc…
环境变量 NONE READ ✓ 一致 trader.py:71-79 — reads SIMMER_API_KEY and 8 SIMMER_* tunables; this is expected…
技能调用 NONE NONE No cross-skill invocation detected
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
2 项发现
🔗
中危 外部 URL 外部 URL
https://simmer.markets/skills
SKILL.md:10
📧
提示 邮箱 邮箱地址
[email protected]
SKILL.md:119

目录结构

3 文件 · 19.3 KB · 528 行
Python 1f · 324L Markdown 1f · 121L JSON 1f · 83L
├─ 📋 clawhub.json JSON 83L · 1.6 KB
├─ 📝 SKILL.md Markdown 121L · 5.0 KB
└─ 🐍 trader.py Python 324L · 12.6 KB

依赖分析 1 项

包名版本来源已知漏洞备注
simmer-sdk latest (PyPI) pip Published by [email protected]; source available at https://github.com/SpartanLabsXyz/simmer-sdk

安全亮点

✓ Paper-trading by default — no real trades without explicit --live flag
✓ API key (SIMMER_API_KEY) is scoped to Simmer/Polymarket trading API only
✓ No shell execution, subprocess, or os.system calls
✓ No obfuscation, base64 payloads, or anti-analysis patterns
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive host paths
✓ No credential harvesting or data exfiltration — all network traffic is Polymarket/Simmer API
✓ Code is clean, readable Python with no malicious patterns
✓ Dependency is a well-known PyPI package (simmer-sdk) with a legitimate publisher
✓ Explicit safety gates: spread check, max position limits, max open positions, context checks (flip-flop detection, slippage checks)
✓ Cron is null and autostart is false — no automated execution on install