Scan Report
0 /100
polymarket-coffee-trader
Trades Polymarket coffee markets using three compounding seasonal edges — Brazil frost window mispricing, harvest cycle awareness, and ENSO phase.
A legitimate Polymarket coffee trading skill using date-derived seasonal multipliers with no malicious behavior, no undeclared capabilities, and safe paper-trading defaults.
Safe to install
Approve for use. Pin simmer-sdk to a known-good version in production for supply-chain hygiene.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | trader.py — no file reads or writes beyond Python imports |
| Network | READ | READ | ✓ Aligned | trader.py:284 — SimmerClient trades via simmer-sdk; all network traffic is Polym… |
| Shell | NONE | NONE | — | trader.py — no subprocess, os.system, eval, exec, or shell invocation |
| Environment | READ | READ | ✓ Aligned | trader.py:18-31 — reads SIMMER_API_KEY and tunables, passed only to SimmerClient… |
| Skill Invoke | NONE | NONE | — | trader.py — no inter-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
File Tree
3 files · 26.1 KB · 649 lines Python 1f · 391L
Markdown 1f · 172L
JSON 1f · 86L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | unpinned | PyPI | No | Version not pinned; recommend pinning to a known release in production |
Security Positives
✓ No shell or subprocess execution — all logic is pure Python
✓ No obfuscation (no base64, eval, or exec)
✓ No credential harvesting or exfiltration — SIMMER_API_KEY is used only for Polymarket API auth via simmer-sdk
✓ No sensitive path access (~/.ssh, ~/.aws, .env, etc.)
✓ No hidden functionality — code implements exactly what SKILL.md describes
✓ Safe defaults — paper trading (venue=sim) is the default; --live flag is required for real trades
✓ No data exfiltration — no external IP, no POSTs to unknown endpoints
✓ No persistence mechanisms — no cron, no autostart, no backdoors
✓ All tunables are declared in clawhub.json and documented in SKILL.md
✓ Function names and logic map directly to documented seasonal trading strategy