polymarket-catastrophe-trader Security Report — Low Risk | ClawSafe

20 /100

polymarket-catastrophe-trader

Trades Polymarket prediction markets on hurricane seasons, earthquake probabilities, wildfire forecasts, and extreme weather records

Legitimate Polymarket trading skill with clear documentation, paper-trading safeguards, and no malicious behavior detected. Minor concern: external simmer-sdk dependency not version-pinned.

Skill Namepolymarket-catastrophe-trader

Duration37.3s

Enginepi

✓

Safe to install

Approve for use. Consider pinning simmer-sdk to a specific version (e.g., pip install simmer-sdk==X.Y.Z) in a requirements.txt to reduce supply chain risk.

Findings 1 items

Severity	Finding	Location
Low	Unpinned external dependency Supply Chain The simmer-sdk package is imported without version pinning. This allows dependency substitution attacks if PyPI is compromised or a typosquatted version is released. `"pip": ["simmer-sdk"]` → Add version pinning: "pip": ["simmer-sdk>=1.0.0,<2.0.0"] or use a requirements.txt with exact version	`clawhub.json:8`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	trader.py:client.find_markets(), client.trade() — Polymarket API access via Simm…
Environment	`READ`	`READ`	✓ Aligned	trader.py:os.environ['SIMMER_API_KEY'] and SIMMER_* tunables — legitimate creden…
Filesystem	`NONE`	`NONE`	—	No file read/write operations in codebase
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution calls detected
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

File Tree

3 files · 31.2 KB · 636 lines

Python 1f · 425L Markdown 1f · 138L JSON 1f · 73L

├─ 📋 clawhub.json JSON 73L · 1.2 KB

├─ 📝 SKILL.md Markdown 138L · 10.0 KB

└─ 🐍 trader.py Python 425L · 20.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`unpinned`	PyPI	No	Version not pinned — supply chain risk

Security Positives

✓ Paper trading (venue="sim") is the safe default — real trades require explicit --live flag

✓ Documentation is comprehensive and accurately describes all functionality

✓ No obfuscation techniques (no base64, eval, or encoded strings)

✓ No credential harvesting or data exfiltration behavior

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ No remote script execution (curl|bash, wget|sh)

✓ Code is well-structured and readable

✓ Financial risk parameters are clearly documented and tunable

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives