Scan Report
5 /100
kalshi-crypto-correlation-trader
Exploits BTC/ETH correlation (beta=1.3) to trade ETH price-level markets when BTC makes a significant move
A legitimate crypto correlation trading skill that uses the simmer-sdk to trade BTC/ETH price-level markets via Kalshi/DFlow. No malicious behavior detected - all capabilities are declared and the codebase is clean.
Safe to install
This skill is safe to use. Ensure SIMMER_API_KEY and SOLANA_PRIVATE_KEY are kept confidential and only use --live flag when you intend to execute real trades.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file operations beyond config loading via SDK |
| Network | READ | READ | ✓ Aligned | API calls only to simmer.markets APIs via simmer-sdk |
| Shell | NONE | NONE | — | No subprocess or shell execution found |
| Environment | READ | READ | ✓ Aligned | Reads only SIMMER_API_KEY and SOLANA_PRIVATE_KEY as declared |
| Skill Invoke | NONE | NONE | — | Uses skill framework but no cross-skill attacks |
| Clipboard | NONE | NONE | — | Not accessed |
| Browser | NONE | NONE | — | Not used |
| Database | NONE | NONE | — | Not accessed |
2 findings
Medium External URL 外部 URL
https://simmer.markets/skills SKILL.md:10 Info Email 邮箱地址
[email protected] SKILL.md:110 File Tree
3 files · 29.5 KB · 846 lines Python 1f · 649L
Markdown 1f · 112L
JSON 1f · 85L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | * | pypi | No | External dependency - recommend pinning to specific version in production |
Security Positives
✓ No shell execution or subprocess usage
✓ No credential harvesting beyond required API keys
✓ No base64 encoded payloads or obfuscated code
✓ No external network calls except to declared simmer.markets API
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Dry-run mode defaults on - real trades require explicit --live flag
✓ Cron set to null and autostart disabled - no automatic execution
✓ Clear documentation with all required permissions declared
✓ Uses typed configuration with schema validation
✓ Implements safeguards for slippage, liquidity, and market resolution