polymarket-geopolitics-deadline-cascade-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-geopolitics-deadline-cascade-trader

Trades temporal inconsistencies across Polymarket geopolitical deadline markets by exploiting probabilistic monotonicity violations

A legitimate Polymarket trading skill that scans geopolitical deadline markets for probabilistic inconsistencies; no malicious behavior detected.

Skill Namepolymarket-geopolitics-deadline-cascade-trader

Duration33.8s

Enginepi

✓

Safe to install

Approve for use. The skill is well-documented, defaults to paper trading, and all functionality is transparently declared. No credential theft, obfuscation, or undeclared network/file access.

Findings 1 items

Severity	Finding	Location
Low	Unpinned dependency version Supply Chain simmer-sdk is listed in requires.pip without a pinned version (e.g., simmer-sdk==x.y.z). While the package appears legitimate, unpinned versions could resolve to a malicious version if PyPI is compromised or a typosquat is registered. `"pip": ["simmer-sdk"]` → Pin to a specific version: "simmer-sdk>=1.0.0,<2.0.0" or a known-good hash	`clawhub.json:6`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	trader.py: No file reads or writes found
Network	`READ`	`READ`	✓ Aligned	trader.py: All network activity via simmer-sdk (Polymarket API); no raw HTTP
Shell	`NONE`	`NONE`	—	trader.py: No subprocess, os.system, or shell invocation
Environment	`READ`	`READ`	✓ Aligned	trader.py: Only reads SIMMER_* environment variables for configuration
Skill Invoke	`NONE`	`NONE`	—	trader.py: No skill invocation logic
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

File Tree

3 files · 28.5 KB · 773 lines

Python 1f · 559L JSON 1f · 109L Markdown 1f · 105L

├─ 📋 clawhub.json JSON 109L · 1.8 KB

├─ 📝 SKILL.md Markdown 105L · 5.3 KB

└─ 🐍 trader.py Python 559L · 21.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip	No	Version not pinned in clawhub.json requires.pip

Security Positives

✓ Skill documentation (SKILL.md) fully matches implementation — no doc-to-code mismatch

✓ Defaults to paper trading (sim mode) — zero financial risk without explicit --live flag

✓ No shell execution, subprocess, os.system, or any shell commands found

✓ No credential harvesting — SIMMER_API_KEY is used only for the Polymarket SDK

✓ No obfuscation — all code is readable plain Python, no base64 or eval()

✓ No sensitive path access (~/.ssh, ~/.aws, .env) — only reads SIMMER_* env vars

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden instructions in comments or HTML

✓ No persistence mechanisms (cron, startup hooks) — autostart=false, cron=null

✓ No data exfiltration — all network I/O is via the simmer-sdk to Polymarket API

✓ Trade reasoning and signals are logged to stdout only

✓ Safe print function prevents information leakage via encoding errors

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives