中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
polymarket-macro-asymmetric-longshot-trader
Systematically finds Polymarket longshot markets (2-10% probability) with cross-category macro support scoring, then places conviction-sized trades through the Simmer SDK.
A legitimate Polymarket asymmetric longshot trading skill that uses the simmer-sdk to scan markets and place paper/live trades. No malicious behavior, credential harvesting, obfuscation, or undeclared functionality found.
Skill Namepolymarket-macro-asymmetric-longshot-trader
Duration35.8s
Enginepi
Safe to install
This skill is safe to use. Ensure SIMMER_API_KEY is stored securely and never share the key. Use paper mode (default) until live trading is fully understood.

Findings 1 items

Severity Finding Location
Low
pip dependency not explicitly documented in SKILL.md Doc Mismatch
SKILL.md describes the skill and its strategy but does not list the pip dependency (simmer-sdk) in its documentation. The dependency IS declared in clawhub.json requires.pip, so this is minor and non-critical.
"pip": ["simmer-sdk"]
→ Add a '## Dependencies' section to SKILL.md listing simmer-sdk as the required pip package.
 clawhub.json:4
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned trader.py reads SKILL.md and its own module -- benign
Network NONE READ ✓ Aligned trader.py calls client.get_markets() and client.trade() via simmer-sdk API -- le…
Shell NONE NONE No subprocess, os.system, or shell execution calls found
Environment READ READ ✓ Aligned Only reads SIMMER_* prefixed tunables; no credential theft iteration

File Tree

3 files · 29.3 KB · 748 lines
Python 1f · 495L Markdown 1f · 150L JSON 1f · 103L
├─ 📋 clawhub.json JSON 103L · 2.2 KB
├─ 📝 SKILL.md Markdown 150L · 8.0 KB
└─ 🐍 trader.py Python 495L · 19.1 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk * pip No Version not pinned; SDK from Simmer Markets (SpartanLabsXyz) -- declared in clawhub.json

Security Positives

✓ No shell execution (subprocess, os.system) found -- trade logic entirely within Python
✓ No credential theft -- only reads SIMMER_API_KEY from environment, no iteration through os.environ
✓ No data exfiltration -- all network calls are through the official simmer-sdk to polymarket API
✓ No obfuscation -- all code is plain Python with readable logic
✓ Paper mode by default (venue='sim') -- no real trades without --live flag
✓ autostart=false and cron=null -- no automatic execution without user consent
✓ No sensitive file access -- no reads of ~/.ssh, ~/.aws, .env, or similar paths
✓ Safe print function with Unicode fallback -- no code injection risk
✓ Flip-flop and slippage safeguards built into context checking
✓ Position size capping and conviction-based sizing reduce financial risk