polymarket-bundle-crypto-hourly-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-bundle-crypto-hourly-trader

Trades crypto hourly Up/Down markets on Polymarket when sub-interval consensus disagrees with hourly price. Uses the Simmer SDK for market discovery, bundle construction, and trade execution.

A legitimate Polymarket crypto trading bot using the simmer-sdk library with no malicious indicators — paper-trading by default, single dependency with pinned SDK, and all behavior fully declared in documentation.

技能名称polymarket-bundle-crypto-hourly-trader

分析耗时31.8s

引擎pi

✓

可以安装

No action needed. This is a straightforward trading signal bot. Treat SIMMER_API_KEY as a high-value credential as the documentation correctly advises.

安全发现 2 项

严重性	安全发现	位置
低危	Reads SIMMER_API_KEY from environment 敏感访问 The script requires SIMMER_API_KEY environment variable for authentication. This is a credential, but it is used only locally for the SimmerClient and is not exfiltrated. SKILL.md correctly notes it should be treated as a high-value credential. `api_key=os.environ["SIMMER_API_KEY"]` → Ensure SIMMER_API_KEY is not logged or printed in production. Current code uses safe_print which handles ASCII safely.	`trader.py:31`
低危	Multiple environment variables read at module level 敏感访问 Sixteen environment variables are read (lines 14-24) for risk parameters. All are declared tunables in clawhub.json. None are sensitive credentials. `MAX_POSITION = float(os.environ.get("SIMMER_MAX_POSITION", "40"))` → Consider validating numeric bounds on env var reads to prevent injection via malformed env values.	`trader.py:14`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	trader.py — no open(), Path, or file I/O calls
网络访问	`NONE`	`READ`	✓ 一致	trader.py:client.find_markets() and client.trade() — all Polymarket API calls vi…
命令执行	`NONE`	`NONE`	—	trader.py — no subprocess, os.system, or shell execution
环境变量	`READ`	`READ`	✓ 一致	trader.py:14-24 — SIMMER_API_KEY, SIMMER_MAX_POSITION, etc.; all legitimate conf…
技能调用	`NONE`	`NONE`	—	No skill-to-skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

目录结构

3 文件 · 23.2 KB · 654 行

Python 1f · 466L Markdown 1f · 101L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.8 KB

├─ 📝 SKILL.md Markdown 101L · 5.4 KB

└─ 🐍 trader.py Python 466L · 16.1 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`unspecified`	pip	否	Version not specified in requirements; SKILL.md references PyPI/GitHub URLs but no version pin

安全亮点

✓ Paper trading (sim) is the default mode — no real trades without explicit --live flag

✓ Single, named dependency (simmer-sdk) — no anonymous pip installs or curl|bash patterns

✓ No subprocess, shell execution, or eval() calls of any kind

✓ No obfuscation (no base64, no exec(), no getattr with dynamic strings)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, credentials directories)

✓ All functionality is explicitly documented in SKILL.md with clear safety disclaimers

✓ clawhub.json declares all tunables with ranges, providing transparency

✓ Uses a named SimmerClient SDK rather than raw HTTP calls, reducing attack surface

✓ No persistence mechanisms (no cron config, autostart=false, automaton managed=false)

✓ SIMMER_API_KEY is used only for local authentication, not exfiltrated