polymarket-energy-transition-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-energy-transition-trader

Trades Polymarket prediction markets on energy transition themes (EV, solar/wind, nuclear, oil, energy policy) using conviction-based sizing with energy data calendar and technology-tier confidence bias.

A straightforward Polymarket energy-transition trading skill that uses the simmer-sdk for market discovery and trade execution. No malicious behavior, obfuscation, credential theft, or undeclared capabilities detected.

Skill Namepolymarket-energy-transition-trader

Duration31.7s

Enginepi

✓

Safe to install

No action needed. This is a legitimate trading bot. Ensure SIMMER_API_KEY is stored securely and do not pass --live in untrusted environments.

Findings 1 items

Severity	Finding	Location
Info	Allowed-tools mapping suggests filesystem:NONE but code reads env vars Doc Mismatch The allowed-tools mapping (Read→filesystem:READ, Write→filesystem:WRITE) is not present in the declared tool set, which implies filesystem:NONE. trader.py reads os.environ but only for documented SIMMER_* config vars — a benign, expected use case. `import os, import argparse, from datetime import...` → No action needed. Environment variable reading for configuration is standard practice and fully documented in SKILL.md.	`trader.py:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file reads/writes in trader.py; os.environ used only for config loading
Network	`none`	`READ`	✓ Aligned	SimmerClient makes API calls to polymarket — declared in SKILL.md and clawhub.js…
Shell	`NONE`	`NONE`	—	No subprocess, no shell invocation
Environment	`READ`	`READ`	✓ Aligned	os.environ.get for SIMMER_API_KEY and SIMMER_* tunables — documented in SKILL.md…
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

File Tree

3 files · 22.3 KB · 518 lines

Python 1f · 333L Markdown 1f · 117L JSON 1f · 68L

├─ 📋 clawhub.json JSON 68L · 1.1 KB

├─ 📝 SKILL.md Markdown 117L · 6.4 KB

└─ 🐍 trader.py Python 333L · 14.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip	No	Version not pinned; single dependency from trusted maintainer (SpartanLabsXyz)

Security Positives

✓ Paper trading (venue='sim') is the hardcoded default — real trades require explicit --live flag

✓ Single, named dependency (simmer-sdk) from a known PyPI maintainer (SpartanLabsXyz)

✓ No subprocess, no shell, no os.popen, no exec — purely SDK-based logic

✓ No credential exfiltration — SIMMER_API_KEY is used only to initialize the trading client

✓ No base64, eval, or code obfuscation — all logic is plain, readable Python

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No hidden instructions or steganographic payloads

✓ Strategy logic (transition_bias, compute_signal) is fully documented in docstrings and SKILL.md

✓ clawhub.json correctly declares all tunable parameters with ranges

✓ autostart: false and cron: null prevent unattended execution

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives