polymarket-energy-transition-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-energy-transition-trader

Trades Polymarket prediction markets on energy transition themes (EV, solar/wind, nuclear, oil, energy policy) using conviction-based sizing with energy data calendar and technology-tier confidence bias.

A straightforward Polymarket energy-transition trading skill that uses the simmer-sdk for market discovery and trade execution. No malicious behavior, obfuscation, credential theft, or undeclared capabilities detected.

技能名称polymarket-energy-transition-trader

分析耗时31.7s

引擎pi

✓

可以安装

No action needed. This is a legitimate trading bot. Ensure SIMMER_API_KEY is stored securely and do not pass --live in untrusted environments.

安全发现 1 项

严重性	安全发现	位置
提示	Allowed-tools mapping suggests filesystem:NONE but code reads env vars 文档欺骗 The allowed-tools mapping (Read→filesystem:READ, Write→filesystem:WRITE) is not present in the declared tool set, which implies filesystem:NONE. trader.py reads os.environ but only for documented SIMMER_* config vars — a benign, expected use case. `import os, import argparse, from datetime import...` → No action needed. Environment variable reading for configuration is standard practice and fully documented in SKILL.md.	`trader.py:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file reads/writes in trader.py; os.environ used only for config loading
网络访问	`none`	`READ`	✓ 一致	SimmerClient makes API calls to polymarket — declared in SKILL.md and clawhub.js…
命令执行	`NONE`	`NONE`	—	No subprocess, no shell invocation
环境变量	`READ`	`READ`	✓ 一致	os.environ.get for SIMMER_API_KEY and SIMMER_* tunables — documented in SKILL.md…
技能调用	`NONE`	`NONE`	—	No cross-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

目录结构

3 文件 · 22.3 KB · 518 行

Python 1f · 333L Markdown 1f · 117L JSON 1f · 68L

├─ 📋 clawhub.json JSON 68L · 1.1 KB

├─ 📝 SKILL.md Markdown 117L · 6.4 KB

└─ 🐍 trader.py Python 333L · 14.8 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned; single dependency from trusted maintainer (SpartanLabsXyz)

安全亮点

✓ Paper trading (venue='sim') is the hardcoded default — real trades require explicit --live flag

✓ Single, named dependency (simmer-sdk) from a known PyPI maintainer (SpartanLabsXyz)

✓ No subprocess, no shell, no os.popen, no exec — purely SDK-based logic

✓ No credential exfiltration — SIMMER_API_KEY is used only to initialize the trading client

✓ No base64, eval, or code obfuscation — all logic is plain, readable Python

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No hidden instructions or steganographic payloads

✓ Strategy logic (transition_bias, compute_signal) is fully documented in docstrings and SKILL.md

✓ clawhub.json correctly declares all tunable parameters with ranges

✓ autostart: false and cron: null prevent unattended execution