Scan Report
5 /100
polymarket-candle-cross-asset-divergence-trader
Detects cross-asset divergence in Polymarket crypto 5-minute interval markets and trades convergence
A legitimate Polymarket crypto trading skill with no malicious behavior, safe paper-trading defaults, and clean well-documented code.
Safe to install
Approve for use. Consider pinning the simmer-sdk version for improved supply chain hygiene.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned simmer-sdk dependency Supply Chain | clawhub.json:3 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No filesystem access in code |
| Network | READ | READ | ✓ Aligned | SDK API calls only through SimmerClient |
| Shell | NONE | NONE | — | No subprocess or shell execution |
| Environment | READ | READ | ✓ Aligned | Only declared tunables: SIMMER_API_KEY, SIMMER_MAX_POSITION, etc. |
| Skill Invoke | NONE | NONE | — | No skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | No database access |
File Tree
3 files · 22.4 KB · 559 lines Python 1f · 377L
Markdown 1f · 95L
JSON 1f · 87L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | * | pip | No | Version not pinned - minor supply chain risk |
Security Positives
✓ Safe default behavior: paper trading (sim mode) unless --live flag explicitly provided
✓ Clean code with no subprocess, shell execution, or file operations
✓ No credential exfiltration or sensitive data transmission outside SDK
✓ Well-documented strategy with clear explanation of trading logic
✓ No obfuscation, base64 encoding, or anti-analysis patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ All environment variable access is declared and documented
✓ Doc-to-code alignment: SKILL.md accurately describes actual behavior