Scan Report
0 /100
polymarket-candle-marubozu-trader
Trades marubozu continuation signals on Polymarket 5-minute crypto interval markets
Clean Polymarket marubozu continuation trading bot with paper-trading default, no shell execution, no sensitive path access, and no hidden functionality.
Safe to install
This skill is safe to use. It operates through the simmer-sdk, defaults to paper trading, and only accesses declared environment variables for trading configuration.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file I/O operations in code |
| Network | READ | READ | ✓ Aligned | Uses simmer-sdk for API calls to Polymarket (trader.py:58-63) |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell execution found |
| Environment | READ | READ | ✓ Aligned | Only reads SIMMER_API_KEY and SIMMER_* tunables (trader.py:28-38,61) |
| Skill Invoke | NONE | NONE | — | No inter-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
File Tree
3 files · 21.7 KB · 531 lines Python 1f · 352L
Markdown 1f · 92L
JSON 1f · 87L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | * | pip | No | Legitimate SDK from SpartanLabsXyz; version not pinned in requirements |
Security Positives
✓ Paper trading (venue='sim') is the safe default; live trades require explicit --live flag
✓ No subprocess, shell execution, or command injection vectors
✓ Only accesses declared SIMMER_* environment variables (no enumeration of os.environ)
✓ No filesystem writes or sensitive path access (~/.ssh, ~/.aws, .env)
✓ No base64, obfuscation, or anti-analysis techniques
✓ Uses legitimate simmer-sdk from SpartanLabsXyz for all market operations
✓ Clear documentation of trading parameters and risk safeguards in SKILL.md
✓ Autostart and cron are disabled by default (automaton managed=false)
✓ No data exfiltration or credential theft patterns detected