polymarket-bundle-cross-coin-5min-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-bundle-cross-coin-5min-trader

Trades cross-coin divergence in 5-minute crypto Up/Down bundles on Polymarket by detecting when BTC/ETH/SOL/XRP deviate from group consensus in the same time window.

Clean Polymarket trading bot using simmer-sdk; paper trading by default, no shell execution, no sensitive path access, no obfuscation, and all functionality is accurately described in documentation.

技能名称polymarket-bundle-cross-coin-5min-trader

分析耗时40.0s

引擎pi

✓

可以安装

This skill is safe to use. The only minor gap is that network I/O via the simmer-sdk is not explicitly declared in SKILL.md, but it is inherent to the stated trading purpose and carries no security risk.

安全发现 1 项

严重性	安全发现	位置
提示	Network I/O not explicitly declared in SKILL.md 文档欺骗 The simmer-sdk makes outbound network calls to Polymarket APIs for market discovery and trade execution. SKILL.md does not list network as a declared permission. However, this is inherently required by the stated trading purpose and carries zero exfiltration risk -- the network calls are only to Polymarket's own API endpoints for the bot's normal operation. `Documentation describes trading behavior but omits network:READ` → Add 'network: READ' to the allowed-tools mapping in the capability declaration, noting it is used exclusively for Polymarket API calls via simmer-sdk.	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	trader.py: No file open/creation calls
网络访问	`NONE`	`READ`	✓ 一致	trader.py: SimmerClient from simmer-sdk makes outbound API calls to Polymarket (…
命令执行	`NONE`	`NONE`	—	trader.py: No subprocess, os.system, or shell command invocation
环境变量	`READ`	`READ`	✓ 一致	trader.py:29-37 reads SIMMER_API_KEY and tuning params from os.environ -- declar…
技能调用	`NONE`	`NONE`	—	No inter-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

目录结构

3 文件 · 23.3 KB · 629 行

Python 1f · 446L Markdown 1f · 96L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.8 KB

├─ 📝 SKILL.md Markdown 96L · 5.8 KB

└─ 🐍 trader.py Python 446L · 15.7 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned; PyPI package from SpartanLabsXyz -- no known vulnerabilities detected, but pinning to a specific version is recommended for supply-chain hygiene

安全亮点

✓ Paper trading (venue=sim) is the default; --live flag is required for real trades

✓ No subprocess, shell execution, or os.system calls anywhere in the codebase

✓ No sensitive path access (~/.ssh, ~/.aws, .env, /etc/passwd)

✓ No base64, eval, exec, or code obfuscation of any kind

✓ No credential exfiltration -- SIMMER_API_KEY is used only locally with the SimmerClient

✓ SIMMER_API_KEY requirement is clearly declared in SKILL.md Required Credentials section

✓ All trading logic (signal, safeguards, execution) is straightforward and readable

✓ No hidden instructions, no C2 communication, no data theft

✓ Uses a known, published SDK (simmer-sdk) from PyPI/GitHub with no modification

✓ No dependency on unpinned external scripts or curl|bash patterns

✓ Environment variables read (tuning params) are standard tunables with safe defaults

✓ No automaton autostart or cron configured -- explicit human invocation required