中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
polymarket-24h-cross-asset-sync-trader
Trades cross-asset correlation divergences in 5-minute crypto Up or Down markets on Polymarket
A legitimate Polymarket correlation arbitrage trading bot using the simmer-sdk library, with no malicious behavior detected. The code is well-structured, documented, and performs only declared operations.
Skill Namepolymarket-24h-cross-asset-sync-trader
Duration27.4s
Enginepi
Safe to install
No action needed. The skill is safe to use. Ensure the SIMMER_API_KEY is stored securely and not committed to source control.

Findings 1 items

Severity Finding Location
Low
Unpinned simmer-sdk dependency Supply Chain
clawhub.json declares 'simmer-sdk' without a version constraint. Without a pinned version, pip install could resolve to a different (potentially malicious) version published under the same package name.
"requires": {"pip": ["simmer-sdk"]}
→ Pin to a specific version, e.g., "simmer-sdk>=1.0.0,<2.0.0" or use an exact version. Verify the package ownership and check PyPI for any suspicious release activity.
 clawhub.json:6
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No file read/write operations in trader.py
Network READ READ ✓ Aligned trader.py:270-280 — client.find_markets(), client.trade() via simmer-sdk
Shell NONE NONE No subprocess, os.system, or popen calls in trader.py
Environment READ READ ✓ Aligned trader.py:60-70 — os.environ.get() for all SIMMER_* tunables and API key
Skill Invoke NONE NONE No cross-skill invocation code present
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access

File Tree

3 files · 25.9 KB · 665 lines
Python 1f · 456L Markdown 1f · 122L JSON 1f · 87L
├─ 📋 clawhub.json JSON 87L · 1.9 KB
├─ 📝 SKILL.md Markdown 122L · 6.1 KB
└─ 🐍 trader.py Python 456L · 17.9 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk * pip No Version not pinned in clawhub.json. Verify package ownership against GitHub (SpartanLabsXyz) and monitor for typosquatting.

Security Positives

✓ Paper trading (sim mode) is the default — real trades require explicit --live flag
✓ No shell execution (subprocess, os.system, popen, bash pipes) — code is pure Python logic
✓ No obfuscation — no base64, eval(), exec(), or encoded strings
✓ No credential exfiltration — SIMMER_API_KEY is used only to authenticate with the declared simmer-sdk
✓ No sensitive file access — no ~/.ssh, ~/.aws, .env, or similar paths accessed
✓ No network calls to unknown external IPs — all traffic routed through the simmer-sdk client
✓ Documentation accurately reflects the code's behavior
✓ autostart: false and cron: null prevent automatic execution
✓ Strong safeguard logic: flip-flop detection, slippage gates, position limits, and threshold bounds