polymarket-macro-crypto-geopolitics-trader 安全扫描报告 — 低风险 | ClawSafe

20 /100

polymarket-macro-crypto-geopolitics-trader

Trades the lag between geopolitical escalation markets and crypto price threshold markets on Polymarket. Detects when crypto markets lag behind geopolitical repricing and trades the divergence before convergence.

A legitimate Polymarket trading skill with clear documentation, safe paper-trading defaults, and no malicious behavior. The only concern is an unpinned PyPI dependency.

技能名称polymarket-macro-crypto-geopolitics-trader

分析耗时31.2s

引擎pi

✓

可以安装

Pin the simmer-sdk dependency to a specific version (e.g., simmer-sdk==x.y.z) to prevent supply-chain substitution attacks. Otherwise safe to use.

安全发现 1 项

严重性	安全发现	位置
中危	Unpinned PyPI dependency 供应链 clawhub.json declares 'simmer-sdk' as a pip dependency without a version constraint. An attacker who compromises the SimmerMarkets PyPI account or registers a typosquat (e.g., simmer_sdk, simmer-sdl) could serve malicious code on the next pip install. `"pip": ["simmer-sdk"]` → Pin to a specific version: "simmer-sdk==x.y.z". Verify the version currently installed and lock to it.	`clawhub.json:2`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file reads or writes found in trader.py
网络访问	`READ`	`READ`	✓ 一致	All network calls are routed through SimmerClient SDK (calls Polymarket API)
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution in trader.py
环境变量	`READ`	`READ`	✓ 一致	os.environ used only for declared SIMMER_* tunables and SIMMER_API_KEY
技能调用	`NONE`	`NONE`	—	No cross-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

目录结构

3 文件 · 22.6 KB · 570 行

Python 1f · 374L Markdown 1f · 101L JSON 1f · 95L

├─ 📋 clawhub.json JSON 95L · 2.0 KB

├─ 📝 SKILL.md Markdown 101L · 6.5 KB

└─ 🐍 trader.py Python 374L · 14.1 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip (PyPI)	否	Version not pinned in clawhub.json. Dependency declared but not version-locked.

安全亮点

✓ Defaults to paper trading (venue='sim') with zero financial risk

✓ Real trades require explicit --live flag; no silent live execution

✓ No subprocess, shell commands, or os.system calls

✓ No base64, eval, or code obfuscation

✓ No credential harvesting beyond SIMMER_API_KEY which is necessary for the trading API

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No external IP network calls outside the legitimate SimmerClient SDK

✓ No hidden functionality -- implementation matches SKILL.md documentation

✓ No cron/autostart -- requires explicit configuration

✓ Source code is clean and readable with no anti-analysis techniques

✓ Uses a well-known SDK (simmer-sdk) with a clear purpose