Scan Report
5 /100
polymarket-48h-geopolitics-cluster-trader
Trades logical inconsistencies in geopolitical event clusters on Polymarket using consistency arbitrage
A legitimate Polymarket geopolitical cluster arbitrage trading skill with clean code, declared credentials, and safe-by-default paper trading mode.
Safe to install
No action required. The skill is safe to use. Ensure SIMMER_API_KEY is treated as a high-value credential as documented.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | trader.py: No file open/write operations detected |
| Network | READ | READ | ✓ Aligned | trader.py:23 - uses simmer-sdk for Polymarket API calls only |
| Shell | NONE | NONE | — | trader.py: No subprocess/os.system/eval/exec detected |
| Environment | READ | READ | ✓ Aligned | trader.py:34-42 - reads only declared SIMMER_* tuning parameters |
| Skill Invoke | NONE | NONE | — | No skill invocation patterns detected |
| Clipboard | NONE | NONE | — | No clipboard access detected |
| Browser | NONE | NONE | — | No browser automation detected |
| Database | NONE | NONE | — | No database access detected |
File Tree
3 files · 30.9 KB · 800 lines Python 1f · 594L
Markdown 1f · 119L
JSON 1f · 87L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | * | pip | No | External SDK - PyPI package, not pinned. Network calls occur within SDK implementation. |
Security Positives
✓ Safe-by-default design: paper trading (venue='sim') is the default mode; --live flag required for real trades
✓ No shell execution: zero subprocess, os.system, eval, or exec calls
✓ No file system writes: only reads declared environment variables
✓ No obfuscation: clean, readable code with no base64, encoded strings, or anti-analysis patterns
✓ Clear documentation: all credentials and tuning parameters documented in SKILL.md and clawhub.json
✓ Minimal dependency surface: only uses standard library + simmer-sdk from PyPI
✓ No credential harvesting: does not iterate os.environ or access ~/.ssh, ~/.aws, .env
✓ No data exfiltration: no outbound connections to arbitrary IPs, all network via official simmer-sdk
✓ Autostart disabled: 'autostart: false' prevents automatic execution
✓ No cron/scheduled tasks: 'cron: null' means no persistence mechanism