polymarket-48h-player-prop-consistency-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-48h-player-prop-consistency-trader

Trades NBA player prop mispricings on Polymarket by detecting cross-stat consistency or divergence

Legitimate NBA player prop trading bot using the simmer-sdk for Polymarket, with safe paper-trading defaults and comprehensive documentation.

Skill Namepolymarket-48h-player-prop-consistency-trader

Duration25.5s

Enginepi

✓

Safe to install

This skill is safe to use. The only minor recommendation is to pin the simmer-sdk version in a requirements.txt for reproducible builds.

Findings 1 items

Severity	Finding	Location
Low	Unpinned dependency version Supply Chain The skill declares simmer-sdk as a dependency but does not specify a version constraint. This could lead to unexpected behavior if the package is updated. `"pip": ["simmer-sdk"]` → Consider pinning to a specific version (e.g., simmer-sdk>=1.0.0,<2.0.0) for reproducible builds.	`clawhub.json:5`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations in code
Network	`READ`	`READ`	✓ Aligned	Uses simmer-sdk to query Polymarket API for market data
Shell	`NONE`	`NONE`	—	No shell execution found
Environment	`READ`	`READ`	✓ Aligned	Reads SIMMER_API_KEY and tunables from env; uses locally for API auth
Skill Invoke	`NONE`	`NONE`	—	No skill invocation code present
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

3 files · 26.2 KB · 702 lines

Python 1f · 494L Markdown 1f · 121L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.8 KB

├─ 📝 SKILL.md Markdown 121L · 5.4 KB

└─ 🐍 trader.py Python 494L · 18.9 KB

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip	No	Version not pinned; declared in clawhub.json

✓ Paper trading is the default mode (venue="sim"), eliminating financial risk by default

✓ Real trading requires explicit --live flag

✓ Autostart and cron are disabled by default (autostart: false, cron: null)

✓ Documentation comprehensively describes all functionality with no mismatches

✓ No shell execution, subprocess, or system calls

✓ No obfuscation, base64 encoding, or anti-analysis techniques

✓ No credential exfiltration - API key is used locally for Polymarket auth only

✓ No network calls to suspicious IPs or domains

✓ Clean code structure with proper input validation

✓ Risk parameters are tunable through declared environment variables