中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
polymarket-bundle-dota2-bo3-trader
Trades structural inconsistencies between Dota 2 BO3 winner, individual game winners, and game handicap markets on Polymarket.
A legitimate Polymarket Dota 2 BO3 arbitrage trading skill with no malicious indicators. It uses a well-documented SDK, defaults to paper trading, and performs only declared API-based trading operations.
Skill Namepolymarket-bundle-dota2-bo3-trader
Duration32.3s
Enginepi
Safe to install
No action needed. This is a legitimate trading skill. Treat SIMMER_API_KEY as a high-value credential and never use --live without understanding position sizing.

Findings 1 items

Severity Finding Location
Low
Unpinned SDK dependency Supply Chain
simmer-sdk is declared without a version pin in clawhub.json. While the package comes from a known vendor (SpartanLabsXyz), version pinning is a security best practice to prevent supply-chain drift.
"pip": ["simmer-sdk"]
→ Pin to a specific version, e.g., "simmer-sdk>=1.0.0,<2.0.0"
 clawhub.json:4
ResourceDeclaredInferredStatusEvidence
Shell NONE NONE No subprocess/os.system calls in trader.py
Network READ READ ✓ Aligned All network via SimmerClient SDK (lines 55-70)
Filesystem NONE NONE No file reads or writes
Environment READ READ ✓ Aligned Only reads SIMMER_* vars (lines 35-46); no iteration over all env
Clipboard NONE NONE N/A
Skill Invoke NONE NONE N/A
Browser NONE NONE N/A
Database NONE NONE N/A

File Tree

3 files · 27.5 KB · 735 lines
Python 1f · 547L Markdown 1f · 101L JSON 1f · 87L
├─ 📋 clawhub.json JSON 87L · 1.8 KB
├─ 📝 SKILL.md Markdown 101L · 6.0 KB
└─ 🐍 trader.py Python 547L · 19.7 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk unpinned pip No Not pinned to a specific version; from known vendor SpartanLabsXyz

Security Positives

✓ Safe-by-default paper trading mode (venue='sim') unless --live flag is explicitly passed
✓ No shell execution (no subprocess, os.system, popen, etc.)
✓ No credential harvesting -- only reads SIMMER_API_KEY from environment
✓ No network calls outside the declared Simmer SDK API
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No obfuscation (no base64, eval, exec, atob patterns)
✓ SKILL.md accurately describes the trading strategy and all risk parameters
✓ Strong safeguards: position limits, spread gates, days-to-resolution checks, flip-flop discipline
✓ All 9 tunable risk parameters are declared and adjustable via UI
✓ No hidden HTML comments or embedded payloads
✓ No curl|bash or wget|sh remote script execution
✓ No persistence mechanisms (no cron hooks, startup files, or registry writes)