中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
polymarket-food-agriculture-trader
Trades Polymarket prediction markets on food commodity prices, crop yields, drought-driven supply shocks, alternative protein milestones, and agricultural policy events
This is a legitimate Polymarket trading skill for food/agriculture prediction markets. It operates via the simmer-sdk, defaults to paper trading, has no shell/network/file operations, and has no documented-vs-inferred capability violations.
Skill Namepolymarket-food-agriculture-trader
Duration37.2s
Enginepi
Safe to install
No action needed. The skill is safe to install. Ensure SIMMER_API_KEY is stored securely and version-pin simmer-sdk in a requirements.txt if you adopt it.

Findings 1 items

Severity Finding Location
Low
simmer-sdk dependency not explicitly version-pinned Supply Chain
clawhub.json declares 'simmer-sdk' as a requirement but does not specify a version. Without pinning, the latest version would be installed, which could be updated maliciously in the future.
"pip": ["simmer-sdk"]
→ Pin the dependency to a specific version (e.g., simmer-sdk==1.2.3) or create a requirements.txt with pinned versions to protect against supply-chain tampering.
 clawhub.json:11
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No file read/write operations in trader.py
Network READ READ ✓ Aligned Market discovery and trade execution go through SimmerClient SDK only (trader.py…
Shell NONE NONE No subprocess, os.system, or shell invocation in trader.py
Environment READ READ ✓ Aligned Reads only SIMMER_API_KEY and SIMMER_* tunables — all declared in SKILL.md and c…
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access

File Tree

3 files · 21.9 KB · 510 lines
Python 1f · 323L Markdown 1f · 119L JSON 1f · 68L
├─ 📋 clawhub.json JSON 68L · 1.1 KB
├─ 📝 SKILL.md Markdown 119L · 6.4 KB
└─ 🐍 trader.py Python 323L · 14.3 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk unpinned PyPI No Version not specified in clawhub.json

Security Positives

✓ No shell execution, subprocess, or os.system calls — all I/O goes through the SimmerClient SDK
✓ No direct network requests — market discovery and trading are SDK-abstracted
✓ Paper trading by default (venue='sim') — zero financial risk unless --live flag is passed
✓ autostart: false and cron: null — nothing runs automatically
✓ SIMMER_API_KEY is the only credential, used only for Polymarket API auth via SDK
✓ Flip-flop and slippage safeguards implemented (context_ok function)
✓ No sensitive file access (~/.ssh, ~/.aws, .env, etc.)
✓ No obfuscation (no base64, no eval, no atob patterns)
✓ Code is readable and straightforward — no hidden functionality
✓ SKILL.md and clawhub.json match the actual implementation behavior