Scan Report
10 /100
polymarket-24h-player-prop-consistency-trader
Trades NBA player prop mispricings on Polymarket by detecting cross-stat consistency or divergence for the same player
Legitimate NBA player prop trading bot using simmer-sdk, no malicious behavior detected. Paper trading by default with proper safeguards.
Safe to install
This skill is safe to use. Ensure SIMMER_API_KEY is stored securely and never share credentials. The unpinned simmer-sdk dependency could be tightened by pinning to a specific version.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned dependency version Supply Chain | clawhub.json:3 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Environment | READ | READ | ✓ Aligned | trader.py:39-40: os.environ.get('SIMMER_API_KEY') |
| Network | READ | READ | ✓ Aligned | trader.py:42: SimmerClient(api_key=..., venue=...) |
| Filesystem | NONE | NONE | — | No file operations in codebase |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell execution |
File Tree
3 files · 26.8 KB · 702 lines Python 1f · 494L
Markdown 1f · 121L
JSON 1f · 87L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | unpinned | pip | No | Version not pinned - recommend pinning to specific version |
Security Positives
✓ Paper trading is the default mode (venue='sim'), requiring explicit --live flag for real trades
✓ No shell execution, subprocess, or system command calls
✓ No obfuscation, base64 encoding, or anti-analysis techniques
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ No credential exfiltration or data theft indicators
✓ Clear and comprehensive documentation in SKILL.md
✓ Well-structured code with proper safeguards and validation