polymarket-btc-weekend-volatility-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-btc-weekend-volatility-trader

Trades BTC weekend price threshold markets on Polymarket exploiting the structural gap between first-passage and terminal probability — a systematic mispricing replenishing every weekend.

A legitimate BTC weekend volatility trading skill with clean code, no shell execution, no sensitive file access, no obfuscation, and well-documented trading logic using first-passage probability theory.

Skill Namepolymarket-btc-weekend-volatility-trader

Duration61.5s

Enginepi

✓

Safe to install

No blocking concerns. Consider pinning the simmer-sdk dependency to a specific version for reproducible builds.

Findings 1 items

Severity	Finding	Location
Low	Unpinned dependency version Supply Chain SKILL.md declares 'simmer-sdk' as a dependency but does not specify a version pin. This creates minor supply chain risk — an attacker could publish a malicious version under the same name. Version pinning to a specific release (e.g., simmer-sdk==1.2.3) would eliminate this risk. `simmer-sdk` → Pin the dependency: 'simmer-sdk==X.Y.Z' in requirements.txt or SKILL.md. Verify the package hash if possible.	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	import os, import argparse, import datetime — standard library only
Network	`NONE`	`READ`	✓ Aligned	trader.py:20 from simmer_sdk import SimmerClient; client.trade() — SDK makes Pol…
Environment	`NONE`	`READ`	✓ Aligned	trader.py:39-50 os.environ.get() reads tunables; trader.py:319 reads SIMMER_API_…
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell invocation found
Clipboard	`NONE`	`NONE`	—	No clipboard access in code
Browser	`NONE`	`NONE`	—	No browser/web automation in code
Database	`NONE`	`NONE`	—	No database access in code
Skill Invoke	`NONE`	`NONE`	—	No skill invocation in code

File Tree

3 files · 30.0 KB · 642 lines

Python 1f · 400L Markdown 1f · 187L JSON 1f · 55L

├─ 📋 clawhub.json JSON 55L · 1.1 KB

├─ 📝 SKILL.md Markdown 187L · 10.6 KB

└─ 🐍 trader.py Python 400L · 18.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`unpinned`	pip	No	No version specified in SKILL.md. Minor supply chain risk — recommend pinning to a specific release.

Security Positives

✓ No shell execution (subprocess, os.system, popen) — zero command injection risk

✓ No sensitive file access (~/.ssh, ~/.aws, .env) — credential theft paths absent

✓ No obfuscation (no base64, eval, exec, __import__) — code is fully readable

✓ No network egress to suspicious IPs — all traffic goes through simmer-sdk to Polymarket

✓ Paper trading is the safe default (venue='sim' without --live flag)

✓ No credential exfiltration — SIMMER_API_KEY is passed only to SimmerClient for auth

✓ Documentation is thorough and matches implementation exactly

✓ No hidden functionality — every function has a clear legitimate purpose

✓ Imports only standard library (os, argparse, datetime) plus one documented SDK

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives