中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 10/100
Last scan:1 day ago Rescan
10 /100
polymarket-global-elections-trader
Trades Polymarket prediction markets on elections, referendums, and democratic events worldwide
A legitimate Polymarket election trading bot that uses keyword-based market discovery and conviction-based sizing. No malicious behavior detected; all functionality is accurately documented in SKILL.md.
Skill Namepolymarket-global-elections-trader
Duration26.7s
Enginepi
Safe to install
No immediate action required. Consider pinning the simmer-sdk version for reproducibility.

Findings 1 items

Severity Finding Location
Low
Unpinned SDK dependency Supply Chain
simmer-sdk has no version constraint in requirements, creating reproducibility risk. While the package is from PyPI (not suspicious), version pinning is a best practice.
"pip": ["simmer-sdk"]
→ Pin to a specific version, e.g., "simmer-sdk>=1.0.0,<2.0.0"
 clawhub.json:5
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No file I/O in trader.py
Network NONE READ ✓ Aligned simmer-sdk makes outbound API calls to Polymarket; indirectly required for tradi…
Shell NONE NONE No subprocess, os.system, or shell execution
Environment READ READ ✓ Aligned trader.py:51-59 reads SIMMER_* vars for configuration
Skill Invoke NONE NONE No skill-to-skill invocation
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access

File Tree

3 files · 27.6 KB · 587 lines
Python 1f · 385L Markdown 1f · 129L JSON 1f · 73L
├─ 📋 clawhub.json JSON 73L · 1.2 KB
├─ 📝 SKILL.md Markdown 129L · 7.6 KB
└─ 🐍 trader.py Python 385L · 18.8 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk * pip No Version not pinned; PyPI package from SpartanLabsXyz

Security Positives

✓ Safe paper-trading default (venue="sim" unless --live flag is explicitly provided)
✓ No shell execution, file writes, or credential harvesting beyond the declared SIMMER_API_KEY
✓ Documentation accurately describes all behavior — no hidden functionality
✓ No obfuscation techniques (no base64, eval, or anti-analysis patterns)
✓ Guards against slippage and flip-flop trades via context_ok() function
✓ No network requests made directly — all API calls go through the simmer-sdk
✓ Cron/automaton disabled by default (autostart: false)