polymarket-btc-weekend-volatility-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-btc-weekend-volatility-trader

Trades BTC weekend price threshold markets on Polymarket exploiting the structural gap between first-passage and terminal probability — a systematic mispricing replenishing every weekend.

A legitimate BTC weekend volatility trading skill with clean code, no shell execution, no sensitive file access, no obfuscation, and well-documented trading logic using first-passage probability theory.

技能名称polymarket-btc-weekend-volatility-trader

分析耗时61.5s

引擎pi

✓

可以安装

No blocking concerns. Consider pinning the simmer-sdk dependency to a specific version for reproducible builds.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned dependency version 供应链 SKILL.md declares 'simmer-sdk' as a dependency but does not specify a version pin. This creates minor supply chain risk — an attacker could publish a malicious version under the same name. Version pinning to a specific release (e.g., simmer-sdk==1.2.3) would eliminate this risk. `simmer-sdk` → Pin the dependency: 'simmer-sdk==X.Y.Z' in requirements.txt or SKILL.md. Verify the package hash if possible.	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	import os, import argparse, import datetime — standard library only
网络访问	`NONE`	`READ`	✓ 一致	trader.py:20 from simmer_sdk import SimmerClient; client.trade() — SDK makes Pol…
环境变量	`NONE`	`READ`	✓ 一致	trader.py:39-50 os.environ.get() reads tunables; trader.py:319 reads SIMMER_API_…
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell invocation found
剪贴板	`NONE`	`NONE`	—	No clipboard access in code
浏览器	`NONE`	`NONE`	—	No browser/web automation in code
数据库	`NONE`	`NONE`	—	No database access in code
技能调用	`NONE`	`NONE`	—	No skill invocation in code

目录结构

3 文件 · 30.0 KB · 642 行

Python 1f · 400L Markdown 1f · 187L JSON 1f · 55L

├─ 📋 clawhub.json JSON 55L · 1.1 KB

├─ 📝 SKILL.md Markdown 187L · 10.6 KB

└─ 🐍 trader.py Python 400L · 18.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`unpinned`	pip	否	No version specified in SKILL.md. Minor supply chain risk — recommend pinning to a specific release.

安全亮点

✓ No shell execution (subprocess, os.system, popen) — zero command injection risk

✓ No sensitive file access (~/.ssh, ~/.aws, .env) — credential theft paths absent

✓ No obfuscation (no base64, eval, exec, __import__) — code is fully readable

✓ No network egress to suspicious IPs — all traffic goes through simmer-sdk to Polymarket

✓ Paper trading is the safe default (venue='sim' without --live flag)

✓ No credential exfiltration — SIMMER_API_KEY is passed only to SimmerClient for auth

✓ Documentation is thorough and matches implementation exactly

✓ No hidden functionality — every function has a clear legitimate purpose

✓ Imports only standard library (os, argparse, datetime) plus one documented SDK