polymarket-central-bank-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-central-bank-trader

Trades Polymarket prediction markets on central bank decisions, interest rates, inflation prints, and Fed/ECB/Riksbank policy moves using conviction-based sizing and a central bank bias multiplier.

A well-documented Polymarket trading strategy that reads market data via an official SDK and executes paper trades by default, with no shell execution, no sensitive file access, and no undeclared network activity.

Skill Namepolymarket-central-bank-trader

Duration24.9s

Enginepi

✓

Safe to install

No action required. The skill is safe to deploy — verify the simmer-sdk version is pinned in production.

Findings 1 items

Severity	Finding	Location
Low	simmer-sdk version not pinned in skill definition Supply Chain clawhub.json declares 'simmer-sdk' without a version constraint, allowing any release to be installed at runtime. While the SDK is from a legitimate source (PyPI/SpartanLabsXyz), version pinning prevents unexpected breaking changes or supply-chain hijacking. `"pip": ["simmer-sdk"]` → Pin to a specific version, e.g. "simmer-sdk>=1.0.0,<2.0.0", or add a requirements.txt with an exact version.	`clawhub.json:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	trader.py — no open(), write(), or path operations
Network	`READ`	`READ`	✓ Aligned	trader.py:249 — client.find_markets() via simmer-sdk only
Shell	`NONE`	`NONE`	—	trader.py — no subprocess, no os.system, no shell=True calls
Environment	`READ`	`READ`	✓ Aligned	trader.py:31-32 — reads SIMMER_API_KEY and SIMMER_* tunables only
Skill Invoke	`NONE`	`NONE`	—	No skill-to-skill invocation; single-file strategy script
Clipboard	`NONE`	`NONE`	—	No clipboard access in code
Browser	`NONE`	`NONE`	—	No browser automation in code
Database	`NONE`	`NONE`	—	No database access in code

File Tree

3 files · 34.2 KB · 679 lines

Python 1f · 457L Markdown 1f · 149L JSON 1f · 73L

├─ 📋 clawhub.json JSON 73L · 1.2 KB

├─ 📝 SKILL.md Markdown 149L · 11.5 KB

└─ 🐍 trader.py Python 457L · 21.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip	No	Version not pinned — recommend pinning a specific release

Security Positives

✓ Paper trading is the hard default — real trades require an explicit --live flag that would fail without SIMMER_API_KEY

✓ No shell execution, subprocess, os.system, or shell=True anywhere in the codebase

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, credentials directories)

✓ No base64, obfuscation, or dynamic code evaluation

✓ All external I/O flows exclusively through the official simmer-sdk SimmerClient

✓ SKILL.md and clawhub.json accurately reflect implementation — zero doc-to-code mismatch

✓ No auto-start or cron configuration; autostart=false, cron=null in clawhub.json

✓ Uses a named client pattern (_client singleton) to prevent accidental double-initialization

✓ Flip-flop and slippage safeguards implemented via client.get_market_context()

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives