扫描报告
5 /100
polymarket-bundle-overwatch-bo3-trader
Trades structural arbitrage between Overwatch BO3 series winner markets and individual game winner markets on Polymarket by detecting probability inconsistencies
Clean Polymarket arbitrage trading bot with no malicious behavior, well-documented functionality, and legitimate use of the simmer-sdk dependency.
可以安装
The skill is safe to use. Optionally pin the simmer-sdk version in a requirements.txt or clawhub.json for reproducibility.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Unpinned simmer-sdk dependency 供应链 | clawhub.json:3 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | |
| 网络访问 | NONE | WRITE | ✓ 一致 | SimmerClient trades via Polymarket API (trader.py:54) |
| 命令执行 | NONE | NONE | — | |
| 环境变量 | READ | READ | ✓ 一致 | os.environ.get('SIMMER_API_KEY') at trader.py:54 |
目录结构
3 文件 · 23.4 KB · 608 行 Python 1f · 419L
Markdown 1f · 102L
JSON 1f · 87L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
simmer-sdk | unpinned | pip | 否 | Version not pinned — only minor reproducibility concern |
安全亮点
✓ No shell execution or subprocess usage of any kind
✓ No file system writes or reads outside expected SDK behavior
✓ No credential harvesting beyond the required SIMMER_API_KEY (used only by SimmerClient for trading)
✓ No obfuscation, base64 payloads, eval(), or exec() usage
✓ SKILL.md accurately documents all functionality with no mismatch against trader.py
✓ Paper trading is the safe default (venue='sim' without --live flag)
✓ Uses regex only for market question string parsing — no dynamic code execution
✓ No sensitive path access (~/.ssh, ~/.aws, .env, etc.)
✓ No hidden instructions, HTML comments, or injected directives
✓ No external IP connections, C2 communication, or data exfiltration
✓ Flip-flop and slippage safeguards built into trade logic