polymarket-bundle-overwatch-bo3-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-bundle-overwatch-bo3-trader

Trades structural arbitrage between Overwatch BO3 series winner markets and individual game winner markets on Polymarket by detecting probability inconsistencies

Clean Polymarket arbitrage trading bot with no malicious behavior, well-documented functionality, and legitimate use of the simmer-sdk dependency.

Skill Namepolymarket-bundle-overwatch-bo3-trader

Duration41.5s

Enginepi

✓

Safe to install

The skill is safe to use. Optionally pin the simmer-sdk version in a requirements.txt or clawhub.json for reproducibility.

Findings 1 items

Severity	Finding	Location
Low	Unpinned simmer-sdk dependency Supply Chain The simmer-sdk package is declared without a version constraint, allowing any version to be installed. While simmer-sdk is a known legitimate trading platform SDK, version pinning improves reproducibility. `"pip": ["simmer-sdk"]` → Add a version constraint: e.g. "simmer-sdk>=1.0.0" or pin to a known stable release	`clawhub.json:3`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—
Network	`NONE`	`WRITE`	✓ Aligned	SimmerClient trades via Polymarket API (trader.py:54)
Shell	`NONE`	`NONE`	—
Environment	`READ`	`READ`	✓ Aligned	os.environ.get('SIMMER_API_KEY') at trader.py:54

File Tree

3 files · 23.4 KB · 608 lines

Python 1f · 419L Markdown 1f · 102L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.9 KB

├─ 📝 SKILL.md Markdown 102L · 6.2 KB

└─ 🐍 trader.py Python 419L · 15.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`unpinned`	pip	No	Version not pinned — only minor reproducibility concern

Security Positives

✓ No shell execution or subprocess usage of any kind

✓ No file system writes or reads outside expected SDK behavior

✓ No credential harvesting beyond the required SIMMER_API_KEY (used only by SimmerClient for trading)

✓ No obfuscation, base64 payloads, eval(), or exec() usage

✓ SKILL.md accurately documents all functionality with no mismatch against trader.py

✓ Paper trading is the safe default (venue='sim' without --live flag)

✓ Uses regex only for market question string parsing — no dynamic code execution

✓ No sensitive path access (~/.ssh, ~/.aws, .env, etc.)

✓ No hidden instructions, HTML comments, or injected directives

✓ No external IP connections, C2 communication, or data exfiltration

✓ Flip-flop and slippage safeguards built into trade logic

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives