polymarket-bundle-cs2-maps-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-bundle-cs2-maps-trader

Trades CS2 BO3 Winner markets when individual map winner probabilities imply a different BO3 outcome on Polymarket.

A legitimate Polymarket CS2 BO3 arbitrage trading skill with clean code, no hidden functionality, and properly declared capabilities.

技能名称polymarket-bundle-cs2-maps-trader

分析耗时26.6s

引擎pi

✓

可以安装

This skill is safe to use. No security concerns identified.

安全发现 1 项

严重性	安全发现	位置
低危	Dependency version not pinned 供应链 simmer-sdk is listed as a requirement without a version constraint. This could allow a malicious package update to be installed. `"pip": ["simmer-sdk"]` → Pin to a specific version, e.g., "simmer-sdk==1.2.3"	`clawhub.json:10`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	trader.py: calls SimmerClient API methods (get_markets, find_markets, trade)
环境变量	`READ`	`READ`	✓ 一致	trader.py: reads SIMMER_API_KEY, SIMMER_MAX_POSITION, etc. via os.environ
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found
文件系统	`NONE`	`NONE`	—	No file reads or writes present
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access
技能调用	`NONE`	`NONE`	—	No recursive skill invocation

3 文件 · 24.8 KB · 682 行

Python 1f · 491L Markdown 1f · 104L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.8 KB

├─ 📝 SKILL.md Markdown 104L · 5.7 KB

└─ 🐍 trader.py Python 491L · 17.3 KB

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip (PyPI)	否	Version not pinned in clawhub.json

✓ No subprocess, os.system, or shell execution anywhere in the codebase

✓ No credential exfiltration — SIMMER_API_KEY is only used to authenticate with the Simmer API

✓ No data exfiltration — all API calls go to the documented Simmer/Polymarket endpoints only

✓ No obfuscation — no base64, eval, or anti-analysis patterns detected

✓ Doc-to-code alignment is excellent — SKILL.md accurately describes all behavior

✓ Safe defaults — paper trading mode (venue='sim') is the default; --live flag required for real trades

✓ Position and spread safeguards implemented via context_ok() and compute_signal() gates

✓ No sensitive file access (~/.ssh, ~/.aws, .env, etc.)

✓ No hidden instructions, HTML comments, or steganographic payloads

✓ safe_print() is a simple, non-malicious encoding fallback