Scan Report
5 /100
polymarket-24h-precipitation-range-trader
Trades mispricings in Polymarket precipitation-range markets by reconstructing probability distributions and detecting sum/monotonicity violations
Clean Polymarket precipitation arbitrage skill; all capabilities declared, no hidden behavior, paper-first design, and no credential theft or exfiltration.
Safe to install
No action needed. The skill is safe to use. Ensure SIMMER_API_KEY is stored securely and not committed to version control.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | trader.py: no open/write/fs calls |
| Network | READ | READ | ✓ Aligned | simmer-sdk → Polymarket API; declared in SKILL.md |
| Shell | NONE | NONE | — | trader.py: no subprocess/os.system |
| Environment | READ | READ | ✓ Aligned | os.environ['SIMMER_API_KEY'] + SIMMER_* tunables; all declared in SKILL.md |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No DB access |
File Tree
3 files · 30.0 KB · 767 lines Python 1f · 561L
Markdown 1f · 119L
JSON 1f · 87L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | unpinned | pip | No | Referenced in SKILL.md but no pinned version in a requirements file; minor supply-chain risk if not pinned in deployment |
Security Positives
✓ Paper-first design: venue='sim' by default; real trades require explicit --live flag
✓ All environment variables (SIMMER_API_KEY, SIMMER_*) declared and documented
✓ No subprocess, no shell execution, no raw socket calls
✓ No base64/eval obfuscation or hidden instruction payloads
✓ No credential harvesting or data exfiltration
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No autostart/cron; user must explicitly configure
✓ Sensible trade safeguards: threshold gates, max position, spread checks, flip-flop detection
✓ Market data flows through a named SDK (simmer-sdk) rather than raw HTTP, reducing attack surface