中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
kalshi-eth-btc-beta-trader
Trades ETH price markets on Kalshi by exploiting the 1.3x beta relationship between ETH and BTC. Detects BTC probability shifts and trades lagging ETH markets.
A well-documented Kalshi ETH-BTC beta trading bot that makes authenticated API calls to Simmer Markets; no malicious behavior, no hidden functionality, and no credential exfiltration.
Skill Namekalshi-eth-btc-beta-trader
Duration27.2s
Enginepi
Safe to install
No action needed. The skill is safe to use. As a precaution, do not provide live trading credentials unless you have independently audited the simmer-sdk dependency.

Findings 1 items

Severity Finding Location
Low
Unpinned PyPI dependency
The skill requires simmer-sdk without a version pin, meaning pip install simmer-sdk could resolve to any version including a future compromised release.
"requires": {"pip": ["simmer-sdk"]}
→ Pin to a specific version (e.g., simmer-sdk==1.2.3) or at minimum a minimum version (simmer-sdk>=1.0.0,<2.0.0) to reduce supply-chain risk.
 clawhub.json:2
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned trader.py:42 - load_config reads skill config file only
Network READ READ ✓ Aligned trader.py:231-247 - GET /api/sdk/markets, /api/sdk/context, /api/sdk/positions
Shell NONE NONE No subprocess, os.system, or shell execution calls found
Environment WRITE WRITE ✓ Aligned Reads SIMMER_API_KEY, SOLANA_PRIVATE_KEY, TRADING_VENUE, AUTOMATON_* vars
Skill Invoke NONE READ ✓ Aligned trader.py:27-32 - tries to import tradejournal skill if available
2 findings
🔗
Medium External URL 外部 URL
https://simmer.markets/skills
SKILL.md:10
📧
Info Email 邮箱地址
[email protected]
SKILL.md:128

File Tree

3 files · 33.0 KB · 944 lines
Python 1f · 707L Markdown 1f · 130L JSON 1f · 107L
├─ 📋 clawhub.json JSON 107L · 2.0 KB
├─ 📝 SKILL.md Markdown 130L · 5.3 KB
└─ 🐍 trader.py Python 707L · 25.7 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk * pip No Version not pinned — could resolve to a compromised future version

Security Positives

✓ SKILL.md is thorough and accurately describes all functionality — no doc-to-code mismatch
✓ No shell execution, subprocess, or os.system calls anywhere in the codebase
✓ No credential exfiltration — API keys are used only for Simmer API authentication
✓ No filesystem write operations — only reads config file via SDK helper
✓ No base64, eval, or dynamic code execution
✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)
✓ No external IP connections except to documented Simmer API endpoints
✓ Dry-run mode is the default, requiring explicit --live flag for real trades
✓ Trade journal integration is optional and gracefully degrades if unavailable
✓ No hidden instructions in comments or strings