Scan Report
5 /100
polymarket-space-trader
Trades Polymarket prediction markets on space launches, SpaceX milestones, satellite deployments, Mars missions, and commercial spaceflight outcomes.
A legitimate Polymarket space trading skill with strong safe-by-default design: paper trading is the default, real trades require an explicit --live flag, no shell execution, no credential exfiltration, and all network activity is routed through the official simmer-sdk.
Safe to install
This skill is safe to use. Ensure the SIMMER_API_KEY provided to the automaton environment does not have live-trading permissions to prevent accidental financial exposure.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | trader.py:1-10 — no file open, read, or write calls |
| Network | READ | READ | ✓ Aligned | trader.py:19 — all network I/O goes through SimmerClient from simmer-sdk |
| Shell | NONE | NONE | — | trader.py — zero subprocess/os.system/os.popen calls |
| Environment | READ | READ | ✓ Aligned | trader.py:21-28 — only reads SIMMER_* prefixed env vars |
| Skill Invoke | NONE | NONE | — | trader.py — no skill invocation |
| Clipboard | NONE | NONE | — | trader.py — no clipboard access |
| Browser | NONE | NONE | — | trader.py — no browser or WebFetch calls |
| Database | NONE | NONE | — | trader.py — no database access |
1 findings
Info Email 邮箱地址
[email protected] SKILL.md:138 File Tree
3 files · 18.6 KB · 467 lines Python 1f · 254L
Markdown 1f · 140L
JSON 1f · 73L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | * | pip | No | Official SDK from Simmer Markets (pypi.org/project/simmer-sdk); not pinned but from a known publisher |
Security Positives
✓ Paper trading (venue='sim') is the hardcoded default; --live flag is required for real trades
✓ Automaton autostart is explicitly disabled (autostart: false, cron: null)
✓ No shell execution, subprocess, os.system, or popen calls — all I/O goes through the official simmer-sdk
✓ SIMMER_API_KEY is used only for trading authority via the SDK and is never transmitted anywhere else
✓ All risk parameters are declared as SIMMER_* tunables, fully auditable from clawhub.json
✓ No base64, eval, exec, or other code-obfuscation techniques
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, .aws/credentials)
✓ No curl|bash or wget|sh remote script execution
✓ clawhub.json, SKILL.md, and trader.py are in full agreement — no doc-to-code mismatch
✓ The skill implements proper safeguards: spread gating, days-to-resolution filtering, context flip-flop detection, and max-position caps