Scan Report
0 /100
polymarket-candle-volume-spike-trader
Cross-coin volume spike detection for crypto Up or Down markets on Polymarket. Trades lagging coins in the next interval after cross-market conviction is confirmed.
A straightforward Polymarket crypto trading signal skill with no security issues. Paper-trading safe-by-default, single declared dependency, no shell/network misuse, no credential harvesting, and no obfuscation.
Safe to install
No action needed. The skill is clean and can be used as-is.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file reads or writes found in trader.py |
| Network | READ | READ | ✓ Aligned | Uses simmer-sdk SimmerClient to call Polymarket API (find_markets, get_markets, … |
| Shell | NONE | NONE | — | No subprocess, os.system, popen, or any shell command invocation |
| Environment | READ | READ | ✓ Aligned | trader.py:34-45 reads SIMMER_API_KEY and tunable params (SIMMER_MAX_POSITION, et… |
| Skill Invoke | NONE | NONE | — | No other skills invoked |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
File Tree
3 files · 24.4 KB · 624 lines Python 1f · 427L
Markdown 1f · 102L
JSON 1f · 95L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | unpinned | pip | No | Declared in SKILL.md and clawhub.json. Unpinned version is a minor supply-chain risk but the package is from Simmer Markets / SpartanLabsXyz |
Security Positives
✓ Defaults to paper trading (venue='sim') — zero financial risk without explicit --live flag
✓ No shell execution, subprocess, or system calls of any kind
✓ No credential harvesting — SIMMER_API_KEY is used only to authenticate to the Simmer SDK, never exfiltrated
✓ Single declared pip dependency: simmer-sdk (from PyPI, version unpinned but from a known vendor)
✓ No obfuscation: plain Python with readable variable names and inline comments
✓ No file system access (no reads/writes anywhere)
✓ No access to sensitive paths such as ~/.ssh, ~/.aws, or .env files
✓ No base64, eval, exec, or dynamic code generation
✓ All capability usage (network via SDK, environment reads) is clearly declared in SKILL.md
✓ No data exfiltration, C2 communication, or outbound network calls outside the declared Polymarket API