扫描报告
5 /100
kalshi-crypto-momentum-trader
Uses 7-day and 30-day price trend extrapolation to trade crypto year-end price target markets on Kalshi
Legitimate crypto momentum trading skill using the official simmer-sdk with proper dry-run defaults and no malicious indicators.
可以安装
This skill is safe to use. Ensure SIMMER_API_KEY is kept confidential and only use --live mode when intentionally executing real trades.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | SOLANA_PRIVATE_KEY not directly referenced in code | trader.py |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | No direct filesystem access - only uses SDK config helpers |
| 网络访问 | READ | READ | ✓ 一致 | All network calls go through official simmer-sdk |
| 命令执行 | NONE | NONE | — | No subprocess, os.system, or shell execution found |
| 环境变量 | READ | READ | ✓ 一致 | Reads SIMMER_API_KEY, TRADING_VENUE, AUTOMATON_* vars - all documented or standa… |
| 技能调用 | NONE | NONE | — | No skill-to-skill invocation |
2 项发现
中危 外部 URL 外部 URL
https://simmer.markets/skills SKILL.md:10 提示 邮箱 邮箱地址
[email protected] SKILL.md:103 目录结构
3 文件 · 25.7 KB · 750 行 Python 1f · 560L
Markdown 1f · 105L
JSON 1f · 85L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
simmer-sdk | * | PyPI | 否 | Version not pinned; official Simmer Markets SDK |
安全亮点
✓ Dry-run mode is the default - no trades execute without --live flag
✓ All API calls go through the official simmer-sdk (not raw HTTP)
✓ Safeguard checks prevent trading on resolved markets, low liquidity, or high slippage
✓ Rate limiting implemented for API calls
✓ Maximum position size ($5) and trade count (3) limits enforced
✓ Exit thresholds prevent runaway positions
✓ No subprocess, shell execution, or system command invocations
✓ No credential harvesting or exfiltration
✓ No base64 payloads, encoded commands, or suspicious patterns
✓ Single external dependency (simmer-sdk) from verified PyPI publisher