中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:1 天前 重新扫描
10 /100
polymarket-24h-player-prop-consistency-trader
Trades NBA player prop mispricings on Polymarket by detecting cross-stat consistency or divergence for the same player
Legitimate NBA player prop trading bot using simmer-sdk, no malicious behavior detected. Paper trading by default with proper safeguards.
技能名称polymarket-24h-player-prop-consistency-trader
分析耗时27.6s
引擎pi
可以安装
This skill is safe to use. Ensure SIMMER_API_KEY is stored securely and never share credentials. The unpinned simmer-sdk dependency could be tightened by pinning to a specific version.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned dependency version 供应链
The simmer-sdk dependency does not specify a version, which could allow a malicious or compromised version to be installed.
"pip": ["simmer-sdk"]
→ Pin simmer-sdk to a specific version (e.g., simmer-sdk==1.2.3) to ensure reproducible and secure builds.
 clawhub.json:3
资源类型声明权限推断权限状态证据
环境变量 READ READ ✓ 一致 trader.py:39-40: os.environ.get('SIMMER_API_KEY')
网络访问 READ READ ✓ 一致 trader.py:42: SimmerClient(api_key=..., venue=...)
文件系统 NONE NONE No file operations in codebase
命令执行 NONE NONE No subprocess, os.system, or shell execution

目录结构

3 文件 · 26.8 KB · 702 行
Python 1f · 494L Markdown 1f · 121L JSON 1f · 87L
├─ 📋 clawhub.json JSON 87L · 1.9 KB
├─ 📝 SKILL.md Markdown 121L · 5.5 KB
└─ 🐍 trader.py Python 494L · 19.4 KB

依赖分析 1 项

包名版本来源已知漏洞备注
simmer-sdk unpinned pip Version not pinned - recommend pinning to specific version

安全亮点

✓ Paper trading is the default mode (venue='sim'), requiring explicit --live flag for real trades
✓ No shell execution, subprocess, or system command calls
✓ No obfuscation, base64 encoding, or anti-analysis techniques
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ No credential exfiltration or data theft indicators
✓ Clear and comprehensive documentation in SKILL.md
✓ Well-structured code with proper safeguards and validation