kalshi-crypto-cycle-model-trader Security Report — Trusted | ClawSafe

5 /100

kalshi-crypto-cycle-model-trader

Trades Bitcoin year-end price markets on Kalshi using the 4-year halving cycle pattern to compute fair price probabilities.

A straightforward Bitcoin trading bot for Kalshi markets that implements a halving-cycle probability model with no hidden functionality, credential harvesting, or suspicious network behavior.

Skill Namekalshi-crypto-cycle-model-trader

Duration36.0s

Enginepi

✓

Safe to install

No action needed. The skill is a clean trading bot. Ensure `simmer-sdk` is audited independently before providing live API keys.

Findings 1 items

Severity	Finding	Location
Low	Filesystem config access not declared in allowed-tools trader.py imports load_config, update_config, get_config_path from simmer_sdk.skill which may read/write config files, but this is not declared in SKILL.md allowed-tools. This is a minor doc-to-code mismatch with no security impact since the SDK's config path is a standard, non-sensitive location. `from simmer_sdk.skill import load_config, update_config, get_config_path` → Add filesystem:READ to allowed-tools in SKILL.md for transparency.	`trader.py:43`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	trader.py:43 — from simmer_sdk.skill import load_config, update_config, get_conf…
Network	`NONE`	`READ`	✓ Aligned	trader.py:239-246 — client._request() GET /api/sdk/markets; explicitly uses exte…
Environment	`NONE`	`READ`	✓ Aligned	trader.py:67 — os.environ.get('SIMMER_API_KEY'); SKILL.md lists SIMMER_API_KEY a…
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution calls found
Skill Invoke	`NONE`	`READ`	✓ Aligned	trader.py:30-35 — imports tradejournal from skills package; declared as optional…

2 findings

🔗

Medium External URL 外部 URL

https://simmer.markets/skills

SKILL.md:10

📧

Info Email 邮箱地址

[email protected]

SKILL.md:125

File Tree

3 files · 32.0 KB · 889 lines

Python 1f · 677L Markdown 1f · 127L JSON 1f · 85L

├─ 📋 clawhub.json JSON 85L · 1.6 KB

├─ 📝 SKILL.md Markdown 127L · 5.3 KB

└─ 🐍 trader.py Python 677L · 25.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`unpinned`	pip (PyPI)	No	Required dependency; published by [email protected]. SKILL.md recommends reviewing source before providing live credentials.

Security Positives

✓ No shell execution (subprocess, os.system, popen) anywhere in the codebase

✓ No credential exfiltration — SIMMER_API_KEY is used only to initialize SimmerClient and is not transmitted to any third party

✓ No base64, eval, atob, or dynamic code execution patterns

✓ No access to sensitive host paths (~/.ssh, ~/.aws, .env)

✓ No hidden HTML comments or steganographic payloads

✓ No curl|bash or wget|sh remote script installation

✓ No direct IP address network connections — all API calls go through the simmer-sdk

✓ No suspicious dependencies — only simmer-sdk (PyPI, verified publisher) and optional tradejournal

✓ Dry-run mode is the default — real trades require explicit --live flag

✓ Crons are disabled by default (autostart: false, cron: null)

✓ Safeguards for market resolution, slippage, and liquidity are implemented

✓ Code is well-structured and does exactly what the documentation describes

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives