polymarket-resolution-lattice-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-resolution-lattice-trader

Trades Polymarket markets by detecting logical inconsistencies between related contracts such as earlier-vs-later deadlines and prerequisite-vs-downstream event chains.

This is a legitimate Polymarket trading strategy that detects cross-market logical inconsistencies. It has safe defaults (paper trading), no shell execution, no obfuscation, and all credential access is declared and necessary for trading.

技能名称polymarket-resolution-lattice-trader

分析耗时33.8s

引擎pi

✓

可以安装

Approve for use. The skill is well-structured with clear safety mechanisms. Consider pinning the simmer-sdk version for reproducible builds.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned dependency version 供应链 simmer-sdk dependency has no version constraint (*), which could lead to unexpected behavior if a malicious or buggy version is published. `"pip": ["simmer-sdk"]` → Pin to a specific version (e.g., "simmer-sdk==1.2.3") or a tight range (e.g., "simmer-sdk>=1.0.0,<2.0.0")	`clawhub.json:10`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in code
网络访问	`READ`	`READ`	✓ 一致	Uses SimmerClient SDK for API calls (trader.py:31)
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution detected
环境变量	`READ`	`READ`	✓ 一致	Only reads declared SIMMER_* env vars (trader.py:58-65)
技能调用	`NONE`	`NONE`	—	No skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

目录结构

3 文件 · 21.3 KB · 628 行

Python 1f · 403L Markdown 1f · 126L JSON 1f · 99L

├─ 📋 clawhub.json JSON 99L · 1.6 KB

├─ 📝 SKILL.md Markdown 126L · 5.0 KB

└─ 🐍 trader.py Python 403L · 14.7 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned - recommend pinning to specific version

安全亮点

✓ Safe defaults: paper trading (sim) mode enabled by default with explicit --live flag required for real trades

✓ No shell execution or subprocess usage

✓ No obfuscation techniques (no base64, eval, or dynamic code execution)

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ No credential exfiltration - only reads SIMMER_API_KEY for trading authentication

✓ All environment variable access is declared in SKILL.md

✓ Clear documentation with safety table explaining financial risk per execution mode

✓ No hidden functionality - code matches documented behavior

✓ Implements appropriate safeguards (flip-flop detection, slippage checks, position limits)

✓ Autostart disabled, cron null - no automatic execution without user configuration