polymarket-bundle-cs2-maps-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-bundle-cs2-maps-trader

Trades CS2 BO3 Winner markets when individual map winner probabilities imply a different BO3 outcome on Polymarket.

A legitimate Polymarket CS2 BO3 arbitrage trading skill with clean code, no hidden functionality, and properly declared capabilities.

Skill Namepolymarket-bundle-cs2-maps-trader

Duration26.6s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns identified.

Findings 1 items

Severity	Finding	Location
Low	Dependency version not pinned Supply Chain simmer-sdk is listed as a requirement without a version constraint. This could allow a malicious package update to be installed. `"pip": ["simmer-sdk"]` → Pin to a specific version, e.g., "simmer-sdk==1.2.3"	`clawhub.json:10`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	trader.py: calls SimmerClient API methods (get_markets, find_markets, trade)
Environment	`READ`	`READ`	✓ Aligned	trader.py: reads SIMMER_API_KEY, SIMMER_MAX_POSITION, etc. via os.environ
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found
Filesystem	`NONE`	`NONE`	—	No file reads or writes present
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access
Skill Invoke	`NONE`	`NONE`	—	No recursive skill invocation

3 files · 24.8 KB · 682 lines

Python 1f · 491L Markdown 1f · 104L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.8 KB

├─ 📝 SKILL.md Markdown 104L · 5.7 KB

└─ 🐍 trader.py Python 491L · 17.3 KB

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip (PyPI)	No	Version not pinned in clawhub.json

✓ No subprocess, os.system, or shell execution anywhere in the codebase

✓ No credential exfiltration — SIMMER_API_KEY is only used to authenticate with the Simmer API

✓ No data exfiltration — all API calls go to the documented Simmer/Polymarket endpoints only

✓ No obfuscation — no base64, eval, or anti-analysis patterns detected

✓ Doc-to-code alignment is excellent — SKILL.md accurately describes all behavior

✓ Safe defaults — paper trading mode (venue='sim') is the default; --live flag required for real trades

✓ Position and spread safeguards implemented via context_ok() and compute_signal() gates

✓ No sensitive file access (~/.ssh, ~/.aws, .env, etc.)

✓ No hidden instructions, HTML comments, or steganographic payloads

✓ safe_print() is a simple, non-malicious encoding fallback