polymarket-geopolitics-deadline-cascade-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-geopolitics-deadline-cascade-trader

Trades temporal inconsistencies across Polymarket geopolitical deadline markets by exploiting probabilistic monotonicity violations

A legitimate Polymarket trading skill that scans geopolitical deadline markets for probabilistic inconsistencies; no malicious behavior detected.

技能名称polymarket-geopolitics-deadline-cascade-trader

分析耗时33.8s

引擎pi

✓

可以安装

Approve for use. The skill is well-documented, defaults to paper trading, and all functionality is transparently declared. No credential theft, obfuscation, or undeclared network/file access.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned dependency version 供应链 simmer-sdk is listed in requires.pip without a pinned version (e.g., simmer-sdk==x.y.z). While the package appears legitimate, unpinned versions could resolve to a malicious version if PyPI is compromised or a typosquat is registered. `"pip": ["simmer-sdk"]` → Pin to a specific version: "simmer-sdk>=1.0.0,<2.0.0" or a known-good hash	`clawhub.json:6`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	trader.py: No file reads or writes found
网络访问	`READ`	`READ`	✓ 一致	trader.py: All network activity via simmer-sdk (Polymarket API); no raw HTTP
命令执行	`NONE`	`NONE`	—	trader.py: No subprocess, os.system, or shell invocation
环境变量	`READ`	`READ`	✓ 一致	trader.py: Only reads SIMMER_* environment variables for configuration
技能调用	`NONE`	`NONE`	—	trader.py: No skill invocation logic
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

目录结构

3 文件 · 28.5 KB · 773 行

Python 1f · 559L JSON 1f · 109L Markdown 1f · 105L

├─ 📋 clawhub.json JSON 109L · 1.8 KB

├─ 📝 SKILL.md Markdown 105L · 5.3 KB

└─ 🐍 trader.py Python 559L · 21.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned in clawhub.json requires.pip

安全亮点

✓ Skill documentation (SKILL.md) fully matches implementation — no doc-to-code mismatch

✓ Defaults to paper trading (sim mode) — zero financial risk without explicit --live flag

✓ No shell execution, subprocess, os.system, or any shell commands found

✓ No credential harvesting — SIMMER_API_KEY is used only for the Polymarket SDK

✓ No obfuscation — all code is readable plain Python, no base64 or eval()

✓ No sensitive path access (~/.ssh, ~/.aws, .env) — only reads SIMMER_* env vars

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden instructions in comments or HTML

✓ No persistence mechanisms (cron, startup hooks) — autostart=false, cron=null

✓ No data exfiltration — all network I/O is via the simmer-sdk to Polymarket API

✓ Trade reasoning and signals are logged to stdout only

✓ Safe print function prevents information leakage via encoding errors