中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
polymarket-science-milestones-trader
Trades Polymarket prediction markets on scientific breakthroughs, Nobel Prizes, physics discoveries, and research milestones using the Simmer SDK.
A legitimate Polymarket trading bot for scientific milestone prediction markets. No malicious indicators found; all behavior is declared and transparent.
Skill Namepolymarket-science-milestones-trader
Duration31.1s
Enginepi
Safe to install
No action required. The skill is a straightforward trading bot. Consider pinning simmer-sdk to a specific version in clawhub.json for supply-chain hygiene.

Findings 1 items

Severity Finding Location
Low
simmer-sdk dependency not version-pinned Supply Chain
clawhub.json declares 'simmer-sdk' in pip requires but does not pin it to a specific version. This allows the dependency resolver to pull any future version, including a potentially compromised one.
"pip": ["simmer-sdk"]
→ Pin to a known-good version, e.g., "simmer-sdk==1.2.3", and update periodically after reviewing release notes.
 clawhub.json:7
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No file reads or writes in trader.py
Network READ READ ✓ Aligned Only Polymarket API calls through SimmerClient; documented in SKILL.md
Shell NONE NONE No subprocess, os.system, or shell execution in trader.py
Environment READ READ ✓ Aligned Only reads SIMMER_* prefixed env vars declared in clawhub.json
Skill Invoke NONE NONE No skill-to-skill invocation
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access

File Tree

3 files · 28.2 KB · 583 lines
Python 1f · 388L Markdown 1f · 122L JSON 1f · 73L
├─ 📋 clawhub.json JSON 73L · 1.2 KB
├─ 📝 SKILL.md Markdown 122L · 8.0 KB
└─ 🐍 trader.py Python 388L · 19.0 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk * pip No Version not pinned — allowed to float to any release

Security Positives

✓ No shell execution, subprocess, or system command invocation
✓ No base64 decoding, obfuscation, or anti-analysis patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, credentials directories)
✓ No data exfiltration or C2 communication
✓ No credential harvesting beyond the declared SIMMER_API_KEY
✓ Paper trading (venue=sim) is the safe default — live mode requires explicit --live flag
✓ SKILL.md accurately describes all behavior with no documentation-to-code mismatch
✓ No cron/autostart configuration — skill does not run automatically
✓ Code is readable and transparent — all logic is inlined in trader.py
✓ Flip-flop and slippage safeguards are implemented for financial protection