polymarket-central-bank-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-central-bank-trader

Trades Polymarket prediction markets on central bank decisions, interest rates, inflation prints, and Fed/ECB/Riksbank policy moves using conviction-based sizing and a central bank bias multiplier.

A well-documented Polymarket trading strategy that reads market data via an official SDK and executes paper trades by default, with no shell execution, no sensitive file access, and no undeclared network activity.

技能名称polymarket-central-bank-trader

分析耗时24.9s

引擎pi

✓

可以安装

No action required. The skill is safe to deploy — verify the simmer-sdk version is pinned in production.

安全发现 1 项

严重性	安全发现	位置
低危	simmer-sdk version not pinned in skill definition 供应链 clawhub.json declares 'simmer-sdk' without a version constraint, allowing any release to be installed at runtime. While the SDK is from a legitimate source (PyPI/SpartanLabsXyz), version pinning prevents unexpected breaking changes or supply-chain hijacking. `"pip": ["simmer-sdk"]` → Pin to a specific version, e.g. "simmer-sdk>=1.0.0,<2.0.0", or add a requirements.txt with an exact version.	`clawhub.json:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	trader.py — no open(), write(), or path operations
网络访问	`READ`	`READ`	✓ 一致	trader.py:249 — client.find_markets() via simmer-sdk only
命令执行	`NONE`	`NONE`	—	trader.py — no subprocess, no os.system, no shell=True calls
环境变量	`READ`	`READ`	✓ 一致	trader.py:31-32 — reads SIMMER_API_KEY and SIMMER_* tunables only
技能调用	`NONE`	`NONE`	—	No skill-to-skill invocation; single-file strategy script
剪贴板	`NONE`	`NONE`	—	No clipboard access in code
浏览器	`NONE`	`NONE`	—	No browser automation in code
数据库	`NONE`	`NONE`	—	No database access in code

目录结构

3 文件 · 34.2 KB · 679 行

Python 1f · 457L Markdown 1f · 149L JSON 1f · 73L

├─ 📋 clawhub.json JSON 73L · 1.2 KB

├─ 📝 SKILL.md Markdown 149L · 11.5 KB

└─ 🐍 trader.py Python 457L · 21.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned — recommend pinning a specific release

安全亮点

✓ Paper trading is the hard default — real trades require an explicit --live flag that would fail without SIMMER_API_KEY

✓ No shell execution, subprocess, os.system, or shell=True anywhere in the codebase

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, credentials directories)

✓ No base64, obfuscation, or dynamic code evaluation

✓ All external I/O flows exclusively through the official simmer-sdk SimmerClient

✓ SKILL.md and clawhub.json accurately reflect implementation — zero doc-to-code mismatch

✓ No auto-start or cron configuration; autostart=false, cron=null in clawhub.json

✓ Uses a named client pattern (_client singleton) to prevent accidental double-initialization

✓ Flip-flop and slippage safeguards implemented via client.get_market_context()