中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
polymarket-48h-precipitation-range-trader
Trades mispricings in precipitation-range markets by reconstructing probability distributions across bins and detecting sum/monotonicity violations
Legitimate Polymarket precipitation-range trading bot with no malicious behavior, paper-trading by default, and clean implementation.
Skill Namepolymarket-48h-precipitation-range-trader
Duration23.5s
Enginepi
Safe to install
Approve for use. The skill is a well-documented trading bot that identifies probability distribution violations in Polymarket precipitation markets. No action required.

Findings 1 items

Severity Finding Location
Low
simmer-sdk dependency not version-pinned Supply Chain
The skill depends on simmer-sdk from PyPI without a pinned version, which could allow a future supply-chain compromise.
"pip": ["simmer-sdk"]
→ Pin simmer-sdk to a specific version (e.g., simmer-sdk==1.2.3) to prevent unexpected updates.
 clawhub.json:6
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No file read/write operations in trader.py
Network READ READ ✓ Aligned SDK connects to Polymarket API for market data and trade execution; declared in …
Shell NONE NONE No subprocess or shell command execution in trader.py
Environment READ READ ✓ Aligned Reads SIMMER_API_KEY and risk tunables; credential used locally with SDK only

File Tree

3 files · 29.2 KB · 767 lines
Python 1f · 561L Markdown 1f · 119L JSON 1f · 87L
├─ 📋 clawhub.json JSON 87L · 1.8 KB
├─ 📝 SKILL.md Markdown 119L · 6.0 KB
└─ 🐍 trader.py Python 561L · 21.4 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk unpinned pip No No version pin in clawhub.json; PyPI package without fixed version

Security Positives

✓ Paper trading by default (venue="sim"), zero financial risk without explicit --live flag
✓ No subprocess or shell execution
✓ No sensitive file path access (~/.ssh, ~/.aws, .env, etc.)
✓ No credential exfiltration — SIMMER_API_KEY is used locally with the SDK only
✓ No obfuscation, base64 encoding, or anti-analysis techniques
✓ No hidden functionality — all behavior matches SKILL.md documentation
✓ Comprehensive safeguards: threshold gates, spread filters, flip-flop detection, max positions
✓ Clean code with no dynamic execution (no eval, exec, or ast.literal_eval misuse)