polymarket-macro-event-cascade-trader 安全扫描报告 — 低风险 | ClawSafe

12 /100

polymarket-macro-event-cascade-trader

Trades 2nd and 3rd order effects from nearly-resolved Polymarket events by identifying cascade chains and trading lagging downstream targets.

Legitimate Polymarket cascade trading bot with paper-trading default, clear documentation, and no malicious indicators found in the code.

技能名称polymarket-macro-event-cascade-trader

分析耗时36.6s

引擎pi

✓

可以安装

Approve for use. Consider pinning the simmer-sdk dependency to a specific version for improved supply chain hygiene.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned simmer-sdk dependency 供应链 The pip requirement in clawhub.json lists 'simmer-sdk' without a version pin (e.g., 'simmer-sdk==x.y.z'). Without pinning, pip may install a changed or compromised version in the future. `"pip": ["simmer-sdk"]` → Pin to a specific version: "simmer-sdk>=1.0.0,<2.0.0" or exact "simmer-sdk==1.x.x"	`clawhub.json:11`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file reads or writes in trader.py
网络访问	`READ`	`READ`	✓ 一致	SimmerClient API calls only (lines 50-65)
命令执行	`NONE`	`NONE`	—	No subprocess/eval/os.system calls in trader.py
环境变量	`READ`	`READ`	✓ 一致	Only reads SIMMER_* env vars (lines 44-51)
技能调用	`NONE`	`NONE`	—	No skill invocation found
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

3 文件 · 25.2 KB · 716 行

Python 1f · 490L Markdown 1f · 117L JSON 1f · 109L

├─ 📋 clawhub.json JSON 109L · 1.8 KB

├─ 📝 SKILL.md Markdown 117L · 5.3 KB

└─ 🐍 trader.py Python 490L · 18.0 KB

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned; no known vulnerability but supply chain risk exists

✓ Paper-trading default (venue="sim") ensures zero financial risk unless --live is explicitly passed

✓ No subprocess, os.system, exec, or eval calls — code is purely SDK-driven

✓ No base64 encoding, obfuscation, or anti-analysis patterns detected

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ Documentation accurately describes behavior; no doc-to-code mismatch

✓ No hidden instructions or steganographic content

✓ SIMMER_API_KEY credential usage is declared and necessary for trading functionality

✓ Context guard checks flip-flop and slippage before trading — includes safety logic

✓ Credential is used only for API authentication, not exfiltrated