polymarket-biotech-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-biotech-trader

Trades Polymarket prediction markets on FDA drug approvals, biotech IPOs, clinical trial outcomes, pharma M&A, and precision medicine milestones.

A legitimate Polymarket biotech trading bot with transparent paper-trading defaults, documented credential handling, and no malicious indicators.

Skill Namepolymarket-biotech-trader

Duration25.1s

Enginepi

✓

Safe to install

Safe to use. The skill correctly defaults to paper trading and requires explicit --live flag for real trades. Monitor simmer-sdk dependency for updates.

Findings 1 items

Severity	Finding	Location
Low	Unpinned simmer-sdk dependency Supply Chain SKILL.md references 'simmer-sdk' from PyPI without a version pin. This could allow a malicious version to be installed on re-install. Requires: `SIMMER_API_KEY` environment variable. ... `simmer-sdk` is published on PyPI → Consider pinning to a specific version: simmer-sdk>=1.0.0 or equivalent. Check PyPI for current stable release.	`SKILL.md:133`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file read/write operations in code
Network	`READ`	`READ`	✓ Aligned	trader.py:53 - client.find_markets() via simmer_sdk
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution
Environment	`READ`	`READ`	✓ Aligned	trader.py:22-28 - reads SIMMER_* env vars only
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No direct database access

4 findings

🔗

Medium External URL 外部 URL

https://www.fda.gov/patients/drug-development-process/step-4-fda-drug-review

SKILL.md:82

🔗

Medium External URL 外部 URL

https://clinicaltrials.gov/api/

SKILL.md:83

🔗

Medium External URL 外部 URL

https://efts.sec.gov/LATEST/search-index?q=%22biotech%22&dateRange=custom

SKILL.md:84

📧

Info Email 邮箱地址

[email protected]

SKILL.md:136

File Tree

3 files · 14.8 KB · 392 lines

Python 1f · 181L Markdown 1f · 138L JSON 1f · 73L

├─ 📋 clawhub.json JSON 73L · 1.2 KB

├─ 📝 SKILL.md Markdown 138L · 6.2 KB

└─ 🐍 trader.py Python 181L · 7.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	PyPI	No	Version not pinned - minor risk; review source at github.com/SpartanLabsXyz/simmer-sdk before deployment

Security Positives

✓ Paper trading is the safe default (venue='sim'), zero financial risk without --live flag

✓ Explicit --live flag required for real Polymarket trades

✓ Cron automaton is disabled by default (autostart: false, cron: null)

✓ No subprocess, os.system, shell execution, or base64 decoding

✓ No sensitive file access (~/.ssh, ~/.aws, .env, credentials directories)

✓ No credential exfiltration - SIMMER_API_KEY is used only for Polymarket API authentication

✓ Code is clean, readable, and well-structured with clear comments

✓ All environment variable access is declared and documented

✓ Risk parameters are tunable via SIMMER_* vars with sensible defaults

✓ No obfuscation, steganography, or anti-analysis techniques

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives