polymarket-biotech-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-biotech-trader

Trades Polymarket prediction markets on FDA drug approvals, biotech IPOs, clinical trial outcomes, pharma M&A, and precision medicine milestones.

A legitimate Polymarket biotech trading bot with transparent paper-trading defaults, documented credential handling, and no malicious indicators.

技能名称polymarket-biotech-trader

分析耗时25.1s

引擎pi

✓

可以安装

Safe to use. The skill correctly defaults to paper trading and requires explicit --live flag for real trades. Monitor simmer-sdk dependency for updates.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned simmer-sdk dependency 供应链 SKILL.md references 'simmer-sdk' from PyPI without a version pin. This could allow a malicious version to be installed on re-install. Requires: `SIMMER_API_KEY` environment variable. ... `simmer-sdk` is published on PyPI → Consider pinning to a specific version: simmer-sdk>=1.0.0 or equivalent. Check PyPI for current stable release.	`SKILL.md:133`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file read/write operations in code
网络访问	`READ`	`READ`	✓ 一致	trader.py:53 - client.find_markets() via simmer_sdk
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution
环境变量	`READ`	`READ`	✓ 一致	trader.py:22-28 - reads SIMMER_* env vars only
技能调用	`NONE`	`NONE`	—	No inter-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No direct database access

4 项发现

🔗

中危外部 URL 外部 URL

https://www.fda.gov/patients/drug-development-process/step-4-fda-drug-review

SKILL.md:82

🔗

中危外部 URL 外部 URL

https://clinicaltrials.gov/api/

SKILL.md:83

🔗

中危外部 URL 外部 URL

https://efts.sec.gov/LATEST/search-index?q=%22biotech%22&dateRange=custom

SKILL.md:84

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:136

目录结构

3 文件 · 14.8 KB · 392 行

Python 1f · 181L Markdown 1f · 138L JSON 1f · 73L

├─ 📋 clawhub.json JSON 73L · 1.2 KB

├─ 📝 SKILL.md Markdown 138L · 6.2 KB

└─ 🐍 trader.py Python 181L · 7.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	PyPI	否	Version not pinned - minor risk; review source at github.com/SpartanLabsXyz/simmer-sdk before deployment

安全亮点

✓ Paper trading is the safe default (venue='sim'), zero financial risk without --live flag

✓ Explicit --live flag required for real Polymarket trades

✓ Cron automaton is disabled by default (autostart: false, cron: null)

✓ No subprocess, os.system, shell execution, or base64 decoding

✓ No sensitive file access (~/.ssh, ~/.aws, .env, credentials directories)

✓ No credential exfiltration - SIMMER_API_KEY is used only for Polymarket API authentication

✓ Code is clean, readable, and well-structured with clear comments

✓ All environment variable access is declared and documented

✓ Risk parameters are tunable via SIMMER_* vars with sensible defaults

✓ No obfuscation, steganography, or anti-analysis techniques