中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
polymarket-geopolitics-weekly-trader
Trades weekly cyclical patterns in geopolitical prediction markets. Combines day-of-week timing with conviction-based sizing on Polymarket.
A well-documented Polymarket trading bot using a single PyPI dependency (simmer-sdk) with a safe paper-trading default, no shell execution, no credential harvesting beyond the declared API key, and no obfuscation.
Skill Namepolymarket-geopolitics-weekly-trader
Duration31.6s
Enginepi
Safe to install
No action needed. Consider pinning simmer-sdk to a specific version for reproducibility, but there are no security concerns warranting blocking this skill.

Findings 1 items

Severity Finding Location
Low
Unpinned pip dependency Supply Chain
simmer-sdk has no version constraint (pip install without ==version). This makes builds non-reproducible and could silently accept a compromised update.
requires_pip: "simmer-sdk"
→ Pin to a specific version, e.g., simmer-sdk==x.y.z, to prevent supply-chain substitution attacks.
 SKILL.md:140
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned SKILL.md: Requires SIMMER_API_KEY; makes API calls through simmer-sdk to Polymar…
Environment READ READ ✓ Aligned trader.py:11-18: os.environ.get('SIMMER_*') — all declared in SKILL.md
Shell NONE NONE No subprocess, os.system, or shell execution in trader.py
Filesystem NONE NONE No file read/write operations in trader.py
Clipboard NONE NONE No clipboard access
Skill Invoke NONE NONE No inter-skill invocation
Browser NONE NONE No browser automation
Database NONE NONE No database access

File Tree

3 files · 22.3 KB · 538 lines
Python 1f · 305L Markdown 1f · 150L JSON 1f · 83L
├─ 📋 clawhub.json JSON 83L · 1.7 KB
├─ 📝 SKILL.md Markdown 150L · 8.4 KB
└─ 🐍 trader.py Python 305L · 12.2 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk * pip No No version constraint — recommend pinning to a specific release

Security Positives

✓ No shell execution — trader.py uses only stdlib (os, re, sys, argparse, datetime) plus simmer-sdk
✓ No credential exfiltration — SIMMER_API_KEY is read from environment and passed directly to SimmerClient
✓ No obfuscation — no base64, eval, exec, or atob patterns
✓ No hidden functionality — doc-to-code alignment is strong throughout
✓ Safe-by-default design — paper trading is the default; --live flag is required for real trades
✓ Defensive safeguards: MAX_POSITIONS cap, spread/days-to-resolution gates, flip-flop detection, slippage checks
✓ No filesystem, clipboard, or sensitive path access
✓ No remote script fetching (curl|bash, wget|sh)
✓ Autostart disabled and cron null — nothing runs automatically