polymarket-48h-cross-asset-sync-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-48h-cross-asset-sync-trader

Trades cross-asset correlation divergences in 5-minute crypto Up or Down markets on Polymarket

A legitimate Polymarket correlation arbitrage trading skill that uses only the simmer-sdk, defaults to paper trading, and has no shell access, obfuscation, credential exfiltration, or undeclared behavior.

Skill Namepolymarket-48h-cross-asset-sync-trader

Duration32.7s

Enginepi

✓

Safe to install

This skill is safe to use. The paper-trading default and explicit --live flag for real trades provide good guardrails. No action required.

Findings 1 items

Severity	Finding	Location
Info	API key environment variable name is generic Doc Mismatch SIMMER_API_KEY follows a common naming pattern. However, this is a platform-specific credential for the Simmer trading platform, not a system credential, so it does not represent a credential theft risk. The key is used only to instantiate SimmerClient. `api_key=os.environ["SIMMER_API_KEY"]` → No action needed. The credential is platform-specific and not a system secret.	`trader.py:39`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	trader.py: no open/write/create file operations
Network	`NONE`	`NONE`	—	trader.py: no direct HTTP calls; only through SimmerClient (simmer-sdk)
Shell	`NONE`	`NONE`	—	trader.py: no subprocess, no os.system, no os.popen
Environment	`READ`	`READ`	✓ Aligned	trader.py:lines 24-32 only SIMMER_API_KEY and tuning params read
Skill Invoke	`NONE`	`NONE`	—	No skill chaining, no skill.invoke calls
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database operations

File Tree

3 files · 25.3 KB · 665 lines

Python 1f · 456L Markdown 1f · 122L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.8 KB

├─ 📝 SKILL.md Markdown 122L · 6.0 KB

└─ 🐍 trader.py Python 456L · 17.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip	No	Dependency declared in both SKILL.md and clawhub.json; version unpinned, treat as low risk given no shell execution path in the calling code

Security Positives

✓ No shell execution (subprocess, os.system, popen, bash pipes) — trading is SDK-only

✓ No direct filesystem writes — all file I/O is absent

✓ No obfuscation (no base64, no eval, no exec, no dynamic code generation)

✓ No external script downloads (curl|bash, wget|sh, pip install without context)

✓ No sensitive system path access (~/.ssh, ~/.aws, .env, /etc/)

✓ Single dependency: simmer-sdk (declared in both clawhub.json and SKILL.md)

✓ Paper trading default (venue=sim) — no financial risk without explicit --live flag

✓ Explicit --live flag required for real trading — good opt-in security model

✓ Safeguard gates implemented: YES_THRESHOLD/NO_THRESHOLD, MAX_SPREAD, MAX_POSITIONS

✓ Context checks (flip-flop, slippage) via SimmerClient API before placing orders

✓ No credential exfiltration — API key used only for SDK authentication

✓ Documentation is comprehensive and matches code behavior

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives