polymarket-bundle-dota2-bo3-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-bundle-dota2-bo3-trader

Trades structural inconsistencies between Dota 2 BO3 winner, individual game winners, and game handicap markets on Polymarket.

A legitimate Polymarket Dota 2 BO3 arbitrage trading skill with no malicious indicators. It uses a well-documented SDK, defaults to paper trading, and performs only declared API-based trading operations.

技能名称polymarket-bundle-dota2-bo3-trader

分析耗时32.3s

引擎pi

✓

可以安装

No action needed. This is a legitimate trading skill. Treat SIMMER_API_KEY as a high-value credential and never use --live without understanding position sizing.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned SDK dependency 供应链 simmer-sdk is declared without a version pin in clawhub.json. While the package comes from a known vendor (SpartanLabsXyz), version pinning is a security best practice to prevent supply-chain drift. `"pip": ["simmer-sdk"]` → Pin to a specific version, e.g., "simmer-sdk>=1.0.0,<2.0.0"	`clawhub.json:4`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`NONE`	—	No subprocess/os.system calls in trader.py
网络访问	`READ`	`READ`	✓ 一致	All network via SimmerClient SDK (lines 55-70)
文件系统	`NONE`	`NONE`	—	No file reads or writes
环境变量	`READ`	`READ`	✓ 一致	Only reads SIMMER_* vars (lines 35-46); no iteration over all env
剪贴板	`NONE`	`NONE`	—	N/A
技能调用	`NONE`	`NONE`	—	N/A
浏览器	`NONE`	`NONE`	—	N/A
数据库	`NONE`	`NONE`	—	N/A

目录结构

3 文件 · 27.5 KB · 735 行

Python 1f · 547L Markdown 1f · 101L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.8 KB

├─ 📝 SKILL.md Markdown 101L · 6.0 KB

└─ 🐍 trader.py Python 547L · 19.7 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`unpinned`	pip	否	Not pinned to a specific version; from known vendor SpartanLabsXyz

安全亮点

✓ Safe-by-default paper trading mode (venue='sim') unless --live flag is explicitly passed

✓ No shell execution (no subprocess, os.system, popen, etc.)

✓ No credential harvesting -- only reads SIMMER_API_KEY from environment

✓ No network calls outside the declared Simmer SDK API

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No obfuscation (no base64, eval, exec, atob patterns)

✓ SKILL.md accurately describes the trading strategy and all risk parameters

✓ Strong safeguards: position limits, spread gates, days-to-resolution checks, flip-flop discipline

✓ All 9 tunable risk parameters are declared and adjustable via UI

✓ No hidden HTML comments or embedded payloads

✓ No curl|bash or wget|sh remote script execution

✓ No persistence mechanisms (no cron hooks, startup files, or registry writes)