中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
polymarket-twitter-sentiment-spike-trader
Detects crisis/news spikes across Polymarket markets and adjusts expected posting rates upward for post-count bins. Trades higher bins when spike is detected.
A legitimate Polymarket trading bot that detects crisis signals from Polymarket markets and adjusts position sizing. No malicious behavior observed; full paper-trading safety default.
Skill Namepolymarket-twitter-sentiment-spike-trader
Duration39.2s
Enginepi
Safe to install
No action required. This is a clean, well-documented trading strategy skill. The SIMMER_API_KEY is scoped to the Simmer/Polymarket API and the skill defaults to paper trading with no live trading without explicit --live flag.

Findings 1 items

Severity Finding Location
Info
Capability matrix declares shell/filesystem permissions not used Doc Mismatch
The pre-scan capability mapping lists Read→filesystem:READ and Bash→shell:WRITE as declared permissions, but no scripts/ directory exists and trader.py contains zero shell calls, subprocess, or direct file I/O. This is a minor doc-to-permission mismatch with no security impact.
capability matrix in pre-scan
→ Clarify in SKILL.md that no direct filesystem or shell access is used — all I/O flows through the simmer-sdk API.
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ NONE ✓ Aligned trader.py does not open/read/write any files directly; all data flows through Si…
Network READ READ ✓ Aligned trader.py:94-104 — client.find_markets() and client.get_markets() call Polymarke…
Shell WRITE NONE ✓ Aligned No subprocess, no os.system, no shell invocation in trader.py; no scripts/ direc…
Environment NONE READ ✓ Aligned trader.py:71-79 — reads SIMMER_API_KEY and 8 SIMMER_* tunables; this is expected…
Skill Invoke NONE NONE No cross-skill invocation detected
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access
2 findings
🔗
Medium External URL 外部 URL
https://simmer.markets/skills
SKILL.md:10
📧
Info Email 邮箱地址
[email protected]
SKILL.md:119

File Tree

3 files · 19.3 KB · 528 lines
Python 1f · 324L Markdown 1f · 121L JSON 1f · 83L
├─ 📋 clawhub.json JSON 83L · 1.6 KB
├─ 📝 SKILL.md Markdown 121L · 5.0 KB
└─ 🐍 trader.py Python 324L · 12.6 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk latest (PyPI) pip No Published by [email protected]; source available at https://github.com/SpartanLabsXyz/simmer-sdk

Security Positives

✓ Paper-trading by default — no real trades without explicit --live flag
✓ API key (SIMMER_API_KEY) is scoped to Simmer/Polymarket trading API only
✓ No shell execution, subprocess, or os.system calls
✓ No obfuscation, base64 payloads, or anti-analysis patterns
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive host paths
✓ No credential harvesting or data exfiltration — all network traffic is Polymarket/Simmer API
✓ Code is clean, readable Python with no malicious patterns
✓ Dependency is a well-known PyPI package (simmer-sdk) with a legitimate publisher
✓ Explicit safety gates: spread check, max position limits, max open positions, context checks (flip-flop detection, slippage checks)
✓ Cron is null and autostart is false — no automated execution on install