polymarket-space-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-space-trader

Trades Polymarket prediction markets on space launches, SpaceX milestones, satellite deployments, Mars missions, and commercial spaceflight outcomes.

A legitimate Polymarket space trading skill with strong safe-by-default design: paper trading is the default, real trades require an explicit --live flag, no shell execution, no credential exfiltration, and all network activity is routed through the official simmer-sdk.

技能名称polymarket-space-trader

分析耗时29.1s

引擎pi

✓

可以安装

This skill is safe to use. Ensure the SIMMER_API_KEY provided to the automaton environment does not have live-trading permissions to prevent accidental financial exposure.

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	trader.py:1-10 — no file open, read, or write calls
网络访问	`READ`	`READ`	✓ 一致	trader.py:19 — all network I/O goes through SimmerClient from simmer-sdk
命令执行	`NONE`	`NONE`	—	trader.py — zero subprocess/os.system/os.popen calls
环境变量	`READ`	`READ`	✓ 一致	trader.py:21-28 — only reads SIMMER_* prefixed env vars
技能调用	`NONE`	`NONE`	—	trader.py — no skill invocation
剪贴板	`NONE`	`NONE`	—	trader.py — no clipboard access
浏览器	`NONE`	`NONE`	—	trader.py — no browser or WebFetch calls
数据库	`NONE`	`NONE`	—	trader.py — no database access

1 项发现

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:138

目录结构

3 文件 · 18.6 KB · 467 行

Python 1f · 254L Markdown 1f · 140L JSON 1f · 73L

├─ 📋 clawhub.json JSON 73L · 1.2 KB

├─ 📝 SKILL.md Markdown 140L · 6.6 KB

└─ 🐍 trader.py Python 254L · 10.8 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Official SDK from Simmer Markets (pypi.org/project/simmer-sdk); not pinned but from a known publisher

安全亮点

✓ Paper trading (venue='sim') is the hardcoded default; --live flag is required for real trades

✓ Automaton autostart is explicitly disabled (autostart: false, cron: null)

✓ No shell execution, subprocess, os.system, or popen calls — all I/O goes through the official simmer-sdk

✓ SIMMER_API_KEY is used only for trading authority via the SDK and is never transmitted anywhere else

✓ All risk parameters are declared as SIMMER_* tunables, fully auditable from clawhub.json

✓ No base64, eval, exec, or other code-obfuscation techniques

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, .aws/credentials)

✓ No curl|bash or wget|sh remote script execution

✓ clawhub.json, SKILL.md, and trader.py are in full agreement — no doc-to-code mismatch

✓ The skill implements proper safeguards: spread gating, days-to-resolution filtering, context flip-flop detection, and max-position caps