中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
kalshi-crypto-cycle-model-trader
Trades Bitcoin year-end price markets on Kalshi using the 4-year halving cycle pattern to compute fair price probabilities.
A straightforward Bitcoin trading bot for Kalshi markets that implements a halving-cycle probability model with no hidden functionality, credential harvesting, or suspicious network behavior.
技能名称kalshi-crypto-cycle-model-trader
分析耗时36.0s
引擎pi
可以安装
No action needed. The skill is a clean trading bot. Ensure `simmer-sdk` is audited independently before providing live API keys.

安全发现 1 项

严重性 安全发现 位置
低危
Filesystem config access not declared in allowed-tools
trader.py imports load_config, update_config, get_config_path from simmer_sdk.skill which may read/write config files, but this is not declared in SKILL.md allowed-tools. This is a minor doc-to-code mismatch with no security impact since the SDK's config path is a standard, non-sensitive location.
from simmer_sdk.skill import load_config, update_config, get_config_path
→ Add filesystem:READ to allowed-tools in SKILL.md for transparency.
 trader.py:43
资源类型声明权限推断权限状态证据
文件系统 NONE READ ✓ 一致 trader.py:43 — from simmer_sdk.skill import load_config, update_config, get_conf…
网络访问 NONE READ ✓ 一致 trader.py:239-246 — client._request() GET /api/sdk/markets; explicitly uses exte…
环境变量 NONE READ ✓ 一致 trader.py:67 — os.environ.get('SIMMER_API_KEY'); SKILL.md lists SIMMER_API_KEY a…
命令执行 NONE NONE No subprocess, os.system, or shell execution calls found
技能调用 NONE READ ✓ 一致 trader.py:30-35 — imports tradejournal from skills package; declared as optional…
2 项发现
🔗
中危 外部 URL 外部 URL
https://simmer.markets/skills
SKILL.md:10
📧
提示 邮箱 邮箱地址
[email protected]
SKILL.md:125

目录结构

3 文件 · 32.0 KB · 889 行
Python 1f · 677L Markdown 1f · 127L JSON 1f · 85L
├─ 📋 clawhub.json JSON 85L · 1.6 KB
├─ 📝 SKILL.md Markdown 127L · 5.3 KB
└─ 🐍 trader.py Python 677L · 25.1 KB

依赖分析 1 项

包名版本来源已知漏洞备注
simmer-sdk unpinned pip (PyPI) Required dependency; published by [email protected]. SKILL.md recommends reviewing source before providing live credentials.

安全亮点

✓ No shell execution (subprocess, os.system, popen) anywhere in the codebase
✓ No credential exfiltration — SIMMER_API_KEY is used only to initialize SimmerClient and is not transmitted to any third party
✓ No base64, eval, atob, or dynamic code execution patterns
✓ No access to sensitive host paths (~/.ssh, ~/.aws, .env)
✓ No hidden HTML comments or steganographic payloads
✓ No curl|bash or wget|sh remote script installation
✓ No direct IP address network connections — all API calls go through the simmer-sdk
✓ No suspicious dependencies — only simmer-sdk (PyPI, verified publisher) and optional tradejournal
✓ Dry-run mode is the default — real trades require explicit --live flag
✓ Crons are disabled by default (autostart: false, cron: null)
✓ Safeguards for market resolution, slippage, and liquidity are implemented
✓ Code is well-structured and does exactly what the documentation describes