中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
kalshi-crypto-momentum-trader
Uses 7-day and 30-day price trend extrapolation to trade crypto year-end price target markets on Kalshi
Legitimate crypto momentum trading skill using the official simmer-sdk with proper dry-run defaults and no malicious indicators.
Skill Namekalshi-crypto-momentum-trader
Duration29.0s
Enginepi
Safe to install
This skill is safe to use. Ensure SIMMER_API_KEY is kept confidential and only use --live mode when intentionally executing real trades.

Findings 1 items

Severity Finding Location
Low
SOLANA_PRIVATE_KEY not directly referenced in code
SKILL.md documents SOLANA_PRIVATE_KEY as required for live trading, but the code doesn't directly read this variable. It relies on simmer-sdk to handle Solana transaction signing. This is a minor documentation-implementation gap.
# SOLANA_PRIVATE_KEY mentioned in docs but handled by SDK
→ Consider clarifying in SKILL.md that Solana key handling is delegated to simmer-sdk.
 trader.py
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No direct filesystem access - only uses SDK config helpers
Network READ READ ✓ Aligned All network calls go through official simmer-sdk
Shell NONE NONE No subprocess, os.system, or shell execution found
Environment READ READ ✓ Aligned Reads SIMMER_API_KEY, TRADING_VENUE, AUTOMATON_* vars - all documented or standa…
Skill Invoke NONE NONE No skill-to-skill invocation
2 findings
🔗
Medium External URL 外部 URL
https://simmer.markets/skills
SKILL.md:10
📧
Info Email 邮箱地址
[email protected]
SKILL.md:103

File Tree

3 files · 25.7 KB · 750 lines
Python 1f · 560L Markdown 1f · 105L JSON 1f · 85L
├─ 📋 clawhub.json JSON 85L · 1.6 KB
├─ 📝 SKILL.md Markdown 105L · 4.0 KB
└─ 🐍 trader.py Python 560L · 20.1 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk * PyPI No Version not pinned; official Simmer Markets SDK

Security Positives

✓ Dry-run mode is the default - no trades execute without --live flag
✓ All API calls go through the official simmer-sdk (not raw HTTP)
✓ Safeguard checks prevent trading on resolved markets, low liquidity, or high slippage
✓ Rate limiting implemented for API calls
✓ Maximum position size ($5) and trade count (3) limits enforced
✓ Exit thresholds prevent runaway positions
✓ No subprocess, shell execution, or system command invocations
✓ No credential harvesting or exfiltration
✓ No base64 payloads, encoded commands, or suspicious patterns
✓ Single external dependency (simmer-sdk) from verified PyPI publisher