中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
polymarket-autotrade
Polymarket prediction market CLI - Browse markets, check prices, execute trades, and manage portfolio
Polymarket trading CLI with transparent private key handling and declared network access to official Polymarket API endpoints only.
技能名称polymarket-autotrade
分析耗时32.6s
引擎pi
可以安装
No action needed. Skill operates within declared boundaries. Consider pinning py-clob-client to a specific version for reproducibility.

安全发现 2 项

严重性 安全发现 位置
低危
Dependency versions not upper-pinned
requirements.txt and pyproject.toml specify minimum versions (requests>=2.31.0, py-clob-client>=1.5.0) without upper bounds, allowing potentially mismatched versions to be installed
requests>=2.31.0
→ Pin to known-compatible versions, e.g., requests==2.31.0 and py-clob-client==1.5.0
 requirements.txt:2
低危
Crypto wallet address hardcoded
Polymarket USDC contract address 0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174 is hardcoded at line 17. This is expected but worth noting for auditability.
USDC_CONTRACT = "0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174"
→ No action needed - this is a well-known Polygon USDC contract address
 skill.py:17
资源类型声明权限推断权限状态证据
文件系统 READ/WRITE READ/WRITE ✓ 一致 skill.py:37 reads CREDS_FILE; skill.py:61 writes API_CREDS_FILE
网络访问 READ READ ✓ 一致 skill.py:203-245 GET requests to gamma-api.polymarket.com; skill.py:304 POST to …
环境变量 READ READ ✓ 一致 skill.py:30 os.environ.get('POLYMARKET_PRIVATE_KEY') and 'POLYMARKET_PROXY_ADDRE…
命令执行 NONE NONE No subprocess, os.system, or shell execution found
7 项发现
🔗
中危 外部 URL 外部 URL
https://gamma-api.polymarket.com/events/pagination
SKILL.md:192
🔗
中危 外部 URL 外部 URL
https://data-api.polymarket.com/positions
SKILL.md:193
🔗
中危 外部 URL 外部 URL
https://clob.polymarket.com
SKILL.md:194
💰
中危 钱包地址 加密货币钱包地址
0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174
skill.py:17
🔗
中危 外部 URL 外部 URL
https://polygon-rpc.com
skill.py:18
🔗
中危 外部 URL 外部 URL
https://polymarket.com/event/
skill.py:241
🔗
中危 外部 URL 外部 URL
https://gamma-api.polymarket.com/events/slug/
skill.py:245

目录结构

5 文件 · 22.2 KB · 711 行
Python 1f · 489L Markdown 1f · 194L TOML 1f · 20L JSON 1f · 5L Text 1f · 3L
├─ 📋 _meta.json JSON 5L · 139 B
├─ 📄 pyproject.toml TOML 20L · 384 B
├─ 📄 requirements.txt Text 3L · 71 B
├─ 📝 SKILL.md Markdown 194L · 4.9 KB
└─ 🐍 skill.py Python 489L · 16.8 KB

依赖分析 2 项

包名版本来源已知漏洞备注
requests >=2.31.0 pip Minimum version pinned, no upper bound
py-clob-client >=1.5.0 pip Minimum version pinned, no upper bound; official Polymarket SDK

安全亮点

✓ Private key is never transmitted over the network - only used locally for signing via py-clob-client
✓ All network requests go to explicitly declared Polymarket endpoints (gamma-api, data-api, clob, polygon-rpc)
✓ SKILL.md documents credential handling in detail, including security warnings for using dedicated wallets
✓ API credentials are auto-generated and cached locally rather than requiring manual entry
✓ Skill uses standard requests library with proper timeout values
✓ No subprocess, shell execution, or dynamic code evaluation (eval, exec) found
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ Filesystem access is scoped to ~/.openclaw/credentials/ directory, a dedicated skill credential store