polymarket-24h-cross-asset-sync-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-24h-cross-asset-sync-trader

Trades cross-asset correlation divergences in 5-minute crypto Up or Down markets on Polymarket

A legitimate Polymarket correlation arbitrage trading bot using the simmer-sdk library, with no malicious behavior detected. The code is well-structured, documented, and performs only declared operations.

技能名称polymarket-24h-cross-asset-sync-trader

分析耗时27.4s

引擎pi

✓

可以安装

No action needed. The skill is safe to use. Ensure the SIMMER_API_KEY is stored securely and not committed to source control.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned simmer-sdk dependency 供应链 clawhub.json declares 'simmer-sdk' without a version constraint. Without a pinned version, pip install could resolve to a different (potentially malicious) version published under the same package name. `"requires": {"pip": ["simmer-sdk"]}` → Pin to a specific version, e.g., "simmer-sdk>=1.0.0,<2.0.0" or use an exact version. Verify the package ownership and check PyPI for any suspicious release activity.	`clawhub.json:6`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file read/write operations in trader.py
网络访问	`READ`	`READ`	✓ 一致	trader.py:270-280 — client.find_markets(), client.trade() via simmer-sdk
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or popen calls in trader.py
环境变量	`READ`	`READ`	✓ 一致	trader.py:60-70 — os.environ.get() for all SIMMER_* tunables and API key
技能调用	`NONE`	`NONE`	—	No cross-skill invocation code present
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

目录结构

3 文件 · 25.9 KB · 665 行

Python 1f · 456L Markdown 1f · 122L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.9 KB

├─ 📝 SKILL.md Markdown 122L · 6.1 KB

└─ 🐍 trader.py Python 456L · 17.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned in clawhub.json. Verify package ownership against GitHub (SpartanLabsXyz) and monitor for typosquatting.

安全亮点

✓ Paper trading (sim mode) is the default — real trades require explicit --live flag

✓ No shell execution (subprocess, os.system, popen, bash pipes) — code is pure Python logic

✓ No obfuscation — no base64, eval(), exec(), or encoded strings

✓ No credential exfiltration — SIMMER_API_KEY is used only to authenticate with the declared simmer-sdk

✓ No sensitive file access — no ~/.ssh, ~/.aws, .env, or similar paths accessed

✓ No network calls to unknown external IPs — all traffic routed through the simmer-sdk client

✓ Documentation accurately reflects the code's behavior

✓ autostart: false and cron: null prevent automatic execution

✓ Strong safeguard logic: flip-flop detection, slippage gates, position limits, and threshold bounds