中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
polymarket-macro-asymmetric-longshot-trader
Systematically finds Polymarket longshot markets (2-10% probability) with cross-category macro support scoring, then places conviction-sized trades through the Simmer SDK.
A legitimate Polymarket asymmetric longshot trading skill that uses the simmer-sdk to scan markets and place paper/live trades. No malicious behavior, credential harvesting, obfuscation, or undeclared functionality found.
技能名称polymarket-macro-asymmetric-longshot-trader
分析耗时35.8s
引擎pi
可以安装
This skill is safe to use. Ensure SIMMER_API_KEY is stored securely and never share the key. Use paper mode (default) until live trading is fully understood.

安全发现 1 项

严重性 安全发现 位置
低危
pip dependency not explicitly documented in SKILL.md 文档欺骗
SKILL.md describes the skill and its strategy but does not list the pip dependency (simmer-sdk) in its documentation. The dependency IS declared in clawhub.json requires.pip, so this is minor and non-critical.
"pip": ["simmer-sdk"]
→ Add a '## Dependencies' section to SKILL.md listing simmer-sdk as the required pip package.
 clawhub.json:4
资源类型声明权限推断权限状态证据
文件系统 NONE READ ✓ 一致 trader.py reads SKILL.md and its own module -- benign
网络访问 NONE READ ✓ 一致 trader.py calls client.get_markets() and client.trade() via simmer-sdk API -- le…
命令执行 NONE NONE No subprocess, os.system, or shell execution calls found
环境变量 READ READ ✓ 一致 Only reads SIMMER_* prefixed tunables; no credential theft iteration

目录结构

3 文件 · 29.3 KB · 748 行
Python 1f · 495L Markdown 1f · 150L JSON 1f · 103L
├─ 📋 clawhub.json JSON 103L · 2.2 KB
├─ 📝 SKILL.md Markdown 150L · 8.0 KB
└─ 🐍 trader.py Python 495L · 19.1 KB

依赖分析 1 项

包名版本来源已知漏洞备注
simmer-sdk * pip Version not pinned; SDK from Simmer Markets (SpartanLabsXyz) -- declared in clawhub.json

安全亮点

✓ No shell execution (subprocess, os.system) found -- trade logic entirely within Python
✓ No credential theft -- only reads SIMMER_API_KEY from environment, no iteration through os.environ
✓ No data exfiltration -- all network calls are through the official simmer-sdk to polymarket API
✓ No obfuscation -- all code is plain Python with readable logic
✓ Paper mode by default (venue='sim') -- no real trades without --live flag
✓ autostart=false and cron=null -- no automatic execution without user consent
✓ No sensitive file access -- no reads of ~/.ssh, ~/.aws, .env, or similar paths
✓ Safe print function with Unicode fallback -- no code injection risk
✓ Flip-flop and slippage safeguards built into context checking
✓ Position size capping and conviction-based sizing reduce financial risk