polymarket-science-milestones-trader 安全扫描报告 — 低风险 | ClawSafe

20 /100

polymarket-science-milestones-trader

Trades Polymarket prediction markets on scientific breakthroughs, Nobel Prizes, physics discoveries, and research milestones using the Simmer SDK.

A legitimate Polymarket trading bot for scientific milestone prediction markets. No malicious indicators found; all behavior is declared and transparent.

技能名称polymarket-science-milestones-trader

分析耗时31.1s

引擎pi

✓

可以安装

No action required. The skill is a straightforward trading bot. Consider pinning simmer-sdk to a specific version in clawhub.json for supply-chain hygiene.

安全发现 1 项

严重性	安全发现	位置
低危	simmer-sdk dependency not version-pinned 供应链 clawhub.json declares 'simmer-sdk' in pip requires but does not pin it to a specific version. This allows the dependency resolver to pull any future version, including a potentially compromised one. `"pip": ["simmer-sdk"]` → Pin to a known-good version, e.g., "simmer-sdk==1.2.3", and update periodically after reviewing release notes.	`clawhub.json:7`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file reads or writes in trader.py
网络访问	`READ`	`READ`	✓ 一致	Only Polymarket API calls through SimmerClient; documented in SKILL.md
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution in trader.py
环境变量	`READ`	`READ`	✓ 一致	Only reads SIMMER_* prefixed env vars declared in clawhub.json
技能调用	`NONE`	`NONE`	—	No skill-to-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

目录结构

3 文件 · 28.2 KB · 583 行

Python 1f · 388L Markdown 1f · 122L JSON 1f · 73L

├─ 📋 clawhub.json JSON 73L · 1.2 KB

├─ 📝 SKILL.md Markdown 122L · 8.0 KB

└─ 🐍 trader.py Python 388L · 19.0 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned — allowed to float to any release

安全亮点

✓ No shell execution, subprocess, or system command invocation

✓ No base64 decoding, obfuscation, or anti-analysis patterns

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, credentials directories)

✓ No data exfiltration or C2 communication

✓ No credential harvesting beyond the declared SIMMER_API_KEY

✓ Paper trading (venue=sim) is the safe default — live mode requires explicit --live flag

✓ SKILL.md accurately describes all behavior with no documentation-to-code mismatch

✓ No cron/autostart configuration — skill does not run automatically

✓ Code is readable and transparent — all logic is inlined in trader.py

✓ Flip-flop and slippage safeguards are implemented for financial protection