中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 12/100
Last scan:1 day ago Rescan
12 /100
polymarket-macro-event-cascade-trader
Trades 2nd and 3rd order effects from nearly-resolved Polymarket events by identifying cascade chains and trading lagging downstream targets.
Legitimate Polymarket cascade trading bot with paper-trading default, clear documentation, and no malicious indicators found in the code.
Skill Namepolymarket-macro-event-cascade-trader
Duration36.6s
Enginepi
Safe to install
Approve for use. Consider pinning the simmer-sdk dependency to a specific version for improved supply chain hygiene.

Findings 1 items

Severity Finding Location
Low
Unpinned simmer-sdk dependency Supply Chain
The pip requirement in clawhub.json lists 'simmer-sdk' without a version pin (e.g., 'simmer-sdk==x.y.z'). Without pinning, pip may install a changed or compromised version in the future.
"pip": ["simmer-sdk"]
→ Pin to a specific version: "simmer-sdk>=1.0.0,<2.0.0" or exact "simmer-sdk==1.x.x"
 clawhub.json:11
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No file reads or writes in trader.py
Network READ READ ✓ Aligned SimmerClient API calls only (lines 50-65)
Shell NONE NONE No subprocess/eval/os.system calls in trader.py
Environment READ READ ✓ Aligned Only reads SIMMER_* env vars (lines 44-51)
Skill Invoke NONE NONE No skill invocation found
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access

File Tree

3 files · 25.2 KB · 716 lines
Python 1f · 490L Markdown 1f · 117L JSON 1f · 109L
├─ 📋 clawhub.json JSON 109L · 1.8 KB
├─ 📝 SKILL.md Markdown 117L · 5.3 KB
└─ 🐍 trader.py Python 490L · 18.0 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk * pip No Version not pinned; no known vulnerability but supply chain risk exists

Security Positives

✓ Paper-trading default (venue="sim") ensures zero financial risk unless --live is explicitly passed
✓ No subprocess, os.system, exec, or eval calls — code is purely SDK-driven
✓ No base64 encoding, obfuscation, or anti-analysis patterns detected
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No remote script execution (curl|bash, wget|sh)
✓ Documentation accurately describes behavior; no doc-to-code mismatch
✓ No hidden instructions or steganographic content
✓ SIMMER_API_KEY credential usage is declared and necessary for trading functionality
✓ Context guard checks flip-flop and slippage before trading — includes safety logic
✓ Credential is used only for API authentication, not exfiltrated