kalshi-eth-btc-beta-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

kalshi-eth-btc-beta-trader

Trades ETH price markets on Kalshi by exploiting the 1.3x beta relationship between ETH and BTC. Detects BTC probability shifts and trades lagging ETH markets.

A well-documented Kalshi ETH-BTC beta trading bot that makes authenticated API calls to Simmer Markets; no malicious behavior, no hidden functionality, and no credential exfiltration.

技能名称kalshi-eth-btc-beta-trader

分析耗时27.2s

引擎pi

✓

可以安装

No action needed. The skill is safe to use. As a precaution, do not provide live trading credentials unless you have independently audited the simmer-sdk dependency.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned PyPI dependency The skill requires simmer-sdk without a version pin, meaning pip install simmer-sdk could resolve to any version including a future compromised release. `"requires": {"pip": ["simmer-sdk"]}` → Pin to a specific version (e.g., simmer-sdk==1.2.3) or at minimum a minimum version (simmer-sdk>=1.0.0,<2.0.0) to reduce supply-chain risk.	`clawhub.json:2`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	trader.py:42 - load_config reads skill config file only
网络访问	`READ`	`READ`	✓ 一致	trader.py:231-247 - GET /api/sdk/markets, /api/sdk/context, /api/sdk/positions
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution calls found
环境变量	`WRITE`	`WRITE`	✓ 一致	Reads SIMMER_API_KEY, SOLANA_PRIVATE_KEY, TRADING_VENUE, AUTOMATON_* vars
技能调用	`NONE`	`READ`	✓ 一致	trader.py:27-32 - tries to import tradejournal skill if available

2 项发现

🔗

中危外部 URL 外部 URL

https://simmer.markets/skills

SKILL.md:10

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:128

目录结构

3 文件 · 33.0 KB · 944 行

Python 1f · 707L Markdown 1f · 130L JSON 1f · 107L

├─ 📋 clawhub.json JSON 107L · 2.0 KB

├─ 📝 SKILL.md Markdown 130L · 5.3 KB

└─ 🐍 trader.py Python 707L · 25.7 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned — could resolve to a compromised future version

安全亮点

✓ SKILL.md is thorough and accurately describes all functionality — no doc-to-code mismatch

✓ No shell execution, subprocess, or os.system calls anywhere in the codebase

✓ No credential exfiltration — API keys are used only for Simmer API authentication

✓ No filesystem write operations — only reads config file via SDK helper

✓ No base64, eval, or dynamic code execution

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)

✓ No external IP connections except to documented Simmer API endpoints

✓ Dry-run mode is the default, requiring explicit --live flag for real trades

✓ Trade journal integration is optional and gracefully degrades if unavailable

✓ No hidden instructions in comments or strings