中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 12/100
Last scan:1 day ago Rescan
12 /100
polymarket-social-trends-trader
Trades Polymarket prediction markets on social trend indicators using conviction-based sizing with ideological motivation correction and US legislative calendar bias
A legitimate Polymarket trading strategy with fully documented behavior, safe paper-trading defaults, and no hidden functionality — minor concern only around unpinned dependency.
Skill Namepolymarket-social-trends-trader
Duration32.9s
Enginepi
Safe to install
Pin simmer-sdk to a specific version (e.g., simmer-sdk==x.y.z) to eliminate supply-chain risk. Otherwise, safe to use as documented.

Findings 1 items

Severity Finding Location
Low
Unpinned simmer-sdk dependency Supply Chain
clawhub.json declares 'simmer-sdk' without a version constraint. pip install will resolve to the latest available version at install time, which could introduce unexpected behavior if a breaking or malicious version is released.
"pip": ["simmer-sdk"]
→ Pin to a specific version: "simmer-sdk>=x.y.z,<x.y+1.0" or exact pin "simmer-sdk==x.y.z". Check PyPI for current version and pin accordingly.
 clawhub.json:6
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned Uses SimmerClient from simmer-sdk to query Polymarket API for market discovery a…
Environment READ READ ✓ Aligned Reads SIMMER_API_KEY and SIMMER_* tunable env vars — all declared in SKILL.md an…
Shell NONE NONE No subprocess, no os.system, no shell execution found
Filesystem NONE NONE No file reads or writes found; only env vars via os.environ
Clipboard NONE NONE Not accessed
Browser NONE NONE Not accessed
Database NONE NONE Not accessed
Skill Invoke NONE NONE No nested skill invocations

File Tree

3 files · 26.0 KB · 567 lines
Python 1f · 366L Markdown 1f · 128L JSON 1f · 73L
├─ 📋 clawhub.json JSON 73L · 1.2 KB
├─ 📝 SKILL.md Markdown 128L · 7.2 KB
└─ 🐍 trader.py Python 366L · 17.6 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk unpinned pip (PyPI) No No version constraint declared in clawhub.json — install-time resolution risk

Security Positives

✓ Paper trading is the safe default (venue="sim") — no real financial risk without explicit --live flag
✓ No shell execution, subprocess, or os.system calls
✓ No sensitive file access (~/.ssh, ~/.aws, .env, credentials files)
✓ No network requests to raw IPs or external endpoints outside the Simmer SDK
✓ No base64 encoding, eval, or obfuscation patterns
✓ No credential harvesting beyond the declared SIMMER_API_KEY
✓ No hidden functionality — code and documentation are consistent
✓ No auto-start or cron configuration (autostart: false, cron: null)
✓ All environment variable access is via documented tunable parameters (SIMMER_*)