polymarket-macro-crypto-geopolitics-trader Security Report — Low Risk | ClawSafe

20 /100

polymarket-macro-crypto-geopolitics-trader

Trades the lag between geopolitical escalation markets and crypto price threshold markets on Polymarket. Detects when crypto markets lag behind geopolitical repricing and trades the divergence before convergence.

A legitimate Polymarket trading skill with clear documentation, safe paper-trading defaults, and no malicious behavior. The only concern is an unpinned PyPI dependency.

Skill Namepolymarket-macro-crypto-geopolitics-trader

Duration31.2s

Enginepi

✓

Safe to install

Pin the simmer-sdk dependency to a specific version (e.g., simmer-sdk==x.y.z) to prevent supply-chain substitution attacks. Otherwise safe to use.

Findings 1 items

Severity	Finding	Location
Medium	Unpinned PyPI dependency Supply Chain clawhub.json declares 'simmer-sdk' as a pip dependency without a version constraint. An attacker who compromises the SimmerMarkets PyPI account or registers a typosquat (e.g., simmer_sdk, simmer-sdl) could serve malicious code on the next pip install. `"pip": ["simmer-sdk"]` → Pin to a specific version: "simmer-sdk==x.y.z". Verify the version currently installed and lock to it.	`clawhub.json:2`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file reads or writes found in trader.py
Network	`READ`	`READ`	✓ Aligned	All network calls are routed through SimmerClient SDK (calls Polymarket API)
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution in trader.py
Environment	`READ`	`READ`	✓ Aligned	os.environ used only for declared SIMMER_* tunables and SIMMER_API_KEY
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

File Tree

3 files · 22.6 KB · 570 lines

Python 1f · 374L Markdown 1f · 101L JSON 1f · 95L

├─ 📋 clawhub.json JSON 95L · 2.0 KB

├─ 📝 SKILL.md Markdown 101L · 6.5 KB

└─ 🐍 trader.py Python 374L · 14.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip (PyPI)	No	Version not pinned in clawhub.json. Dependency declared but not version-locked.

Security Positives

✓ Defaults to paper trading (venue='sim') with zero financial risk

✓ Real trades require explicit --live flag; no silent live execution

✓ No subprocess, shell commands, or os.system calls

✓ No base64, eval, or code obfuscation

✓ No credential harvesting beyond SIMMER_API_KEY which is necessary for the trading API

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No external IP network calls outside the legitimate SimmerClient SDK

✓ No hidden functionality -- implementation matches SKILL.md documentation

✓ No cron/autostart -- requires explicit configuration

✓ Source code is clean and readable with no anti-analysis techniques

✓ Uses a well-known SDK (simmer-sdk) with a clear purpose

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives