中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
polymarket-geopolitics-weekly-trader
Trades weekly cyclical patterns in geopolitical prediction markets. Combines day-of-week timing with conviction-based sizing on Polymarket.
A well-documented Polymarket trading bot using a single PyPI dependency (simmer-sdk) with a safe paper-trading default, no shell execution, no credential harvesting beyond the declared API key, and no obfuscation.
技能名称polymarket-geopolitics-weekly-trader
分析耗时31.6s
引擎pi
可以安装
No action needed. Consider pinning simmer-sdk to a specific version for reproducibility, but there are no security concerns warranting blocking this skill.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned pip dependency 供应链
simmer-sdk has no version constraint (pip install without ==version). This makes builds non-reproducible and could silently accept a compromised update.
requires_pip: "simmer-sdk"
→ Pin to a specific version, e.g., simmer-sdk==x.y.z, to prevent supply-chain substitution attacks.
 SKILL.md:140
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md: Requires SIMMER_API_KEY; makes API calls through simmer-sdk to Polymar…
环境变量 READ READ ✓ 一致 trader.py:11-18: os.environ.get('SIMMER_*') — all declared in SKILL.md
命令执行 NONE NONE No subprocess, os.system, or shell execution in trader.py
文件系统 NONE NONE No file read/write operations in trader.py
剪贴板 NONE NONE No clipboard access
技能调用 NONE NONE No inter-skill invocation
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access

目录结构

3 文件 · 22.3 KB · 538 行
Python 1f · 305L Markdown 1f · 150L JSON 1f · 83L
├─ 📋 clawhub.json JSON 83L · 1.7 KB
├─ 📝 SKILL.md Markdown 150L · 8.4 KB
└─ 🐍 trader.py Python 305L · 12.2 KB

依赖分析 1 项

包名版本来源已知漏洞备注
simmer-sdk * pip No version constraint — recommend pinning to a specific release

安全亮点

✓ No shell execution — trader.py uses only stdlib (os, re, sys, argparse, datetime) plus simmer-sdk
✓ No credential exfiltration — SIMMER_API_KEY is read from environment and passed directly to SimmerClient
✓ No obfuscation — no base64, eval, exec, or atob patterns
✓ No hidden functionality — doc-to-code alignment is strong throughout
✓ Safe-by-default design — paper trading is the default; --live flag is required for real trades
✓ Defensive safeguards: MAX_POSITIONS cap, spread/days-to-resolution gates, flip-flop detection, slippage checks
✓ No filesystem, clipboard, or sensitive path access
✓ No remote script fetching (curl|bash, wget|sh)
✓ Autostart disabled and cron null — nothing runs automatically