polymarket-bundle-crypto-hourly-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-bundle-crypto-hourly-trader

Trades crypto hourly Up/Down markets on Polymarket when sub-interval consensus disagrees with hourly price. Uses the Simmer SDK for market discovery, bundle construction, and trade execution.

A legitimate Polymarket crypto trading bot using the simmer-sdk library with no malicious indicators — paper-trading by default, single dependency with pinned SDK, and all behavior fully declared in documentation.

Skill Namepolymarket-bundle-crypto-hourly-trader

Duration31.8s

Enginepi

✓

Safe to install

No action needed. This is a straightforward trading signal bot. Treat SIMMER_API_KEY as a high-value credential as the documentation correctly advises.

Findings 2 items

Severity	Finding	Location
Low	Reads SIMMER_API_KEY from environment Sensitive Access The script requires SIMMER_API_KEY environment variable for authentication. This is a credential, but it is used only locally for the SimmerClient and is not exfiltrated. SKILL.md correctly notes it should be treated as a high-value credential. `api_key=os.environ["SIMMER_API_KEY"]` → Ensure SIMMER_API_KEY is not logged or printed in production. Current code uses safe_print which handles ASCII safely.	`trader.py:31`
Low	Multiple environment variables read at module level Sensitive Access Sixteen environment variables are read (lines 14-24) for risk parameters. All are declared tunables in clawhub.json. None are sensitive credentials. `MAX_POSITION = float(os.environ.get("SIMMER_MAX_POSITION", "40"))` → Consider validating numeric bounds on env var reads to prevent injection via malformed env values.	`trader.py:14`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	trader.py — no open(), Path, or file I/O calls
Network	`NONE`	`READ`	✓ Aligned	trader.py:client.find_markets() and client.trade() — all Polymarket API calls vi…
Shell	`NONE`	`NONE`	—	trader.py — no subprocess, os.system, or shell execution
Environment	`READ`	`READ`	✓ Aligned	trader.py:14-24 — SIMMER_API_KEY, SIMMER_MAX_POSITION, etc.; all legitimate conf…
Skill Invoke	`NONE`	`NONE`	—	No skill-to-skill invocation detected
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

File Tree

3 files · 23.2 KB · 654 lines

Python 1f · 466L Markdown 1f · 101L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.8 KB

├─ 📝 SKILL.md Markdown 101L · 5.4 KB

└─ 🐍 trader.py Python 466L · 16.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`unspecified`	pip	No	Version not specified in requirements; SKILL.md references PyPI/GitHub URLs but no version pin

Security Positives

✓ Paper trading (sim) is the default mode — no real trades without explicit --live flag

✓ Single, named dependency (simmer-sdk) — no anonymous pip installs or curl|bash patterns

✓ No subprocess, shell execution, or eval() calls of any kind

✓ No obfuscation (no base64, no exec(), no getattr with dynamic strings)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, credentials directories)

✓ All functionality is explicitly documented in SKILL.md with clear safety disclaimers

✓ clawhub.json declares all tunables with ranges, providing transparency

✓ Uses a named SimmerClient SDK rather than raw HTTP calls, reducing attack surface

✓ No persistence mechanisms (no cron config, autostart=false, automaton managed=false)

✓ SIMMER_API_KEY is used only for local authentication, not exfiltrated

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives