polymarket-food-agriculture-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-food-agriculture-trader

Trades Polymarket prediction markets on food commodity prices, crop yields, drought-driven supply shocks, alternative protein milestones, and agricultural policy events

This is a legitimate Polymarket trading skill for food/agriculture prediction markets. It operates via the simmer-sdk, defaults to paper trading, has no shell/network/file operations, and has no documented-vs-inferred capability violations.

技能名称polymarket-food-agriculture-trader

分析耗时37.2s

引擎pi

✓

可以安装

No action needed. The skill is safe to install. Ensure SIMMER_API_KEY is stored securely and version-pin simmer-sdk in a requirements.txt if you adopt it.

安全发现 1 项

严重性	安全发现	位置
低危	simmer-sdk dependency not explicitly version-pinned 供应链 clawhub.json declares 'simmer-sdk' as a requirement but does not specify a version. Without pinning, the latest version would be installed, which could be updated maliciously in the future. `"pip": ["simmer-sdk"]` → Pin the dependency to a specific version (e.g., simmer-sdk==1.2.3) or create a requirements.txt with pinned versions to protect against supply-chain tampering.	`clawhub.json:11`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file read/write operations in trader.py
网络访问	`READ`	`READ`	✓ 一致	Market discovery and trade execution go through SimmerClient SDK only (trader.py…
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell invocation in trader.py
环境变量	`READ`	`READ`	✓ 一致	Reads only SIMMER_API_KEY and SIMMER_* tunables — all declared in SKILL.md and c…
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

目录结构

3 文件 · 21.9 KB · 510 行

Python 1f · 323L Markdown 1f · 119L JSON 1f · 68L

├─ 📋 clawhub.json JSON 68L · 1.1 KB

├─ 📝 SKILL.md Markdown 119L · 6.4 KB

└─ 🐍 trader.py Python 323L · 14.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`unpinned`	PyPI	否	Version not specified in clawhub.json

安全亮点

✓ No shell execution, subprocess, or os.system calls — all I/O goes through the SimmerClient SDK

✓ No direct network requests — market discovery and trading are SDK-abstracted

✓ Paper trading by default (venue='sim') — zero financial risk unless --live flag is passed

✓ autostart: false and cron: null — nothing runs automatically

✓ SIMMER_API_KEY is the only credential, used only for Polymarket API auth via SDK

✓ Flip-flop and slippage safeguards implemented (context_ok function)

✓ No sensitive file access (~/.ssh, ~/.aws, .env, etc.)

✓ No obfuscation (no base64, no eval, no atob patterns)

✓ Code is readable and straightforward — no hidden functionality

✓ SKILL.md and clawhub.json match the actual implementation behavior