扫描报告
0 /100
polymarket-candle-volume-spike-trader
Cross-coin volume spike detection for crypto Up or Down markets on Polymarket. Trades lagging coins in the next interval after cross-market conviction is confirmed.
A straightforward Polymarket crypto trading signal skill with no security issues. Paper-trading safe-by-default, single declared dependency, no shell/network misuse, no credential harvesting, and no obfuscation.
可以安装
No action needed. The skill is clean and can be used as-is.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | No file reads or writes found in trader.py |
| 网络访问 | READ | READ | ✓ 一致 | Uses simmer-sdk SimmerClient to call Polymarket API (find_markets, get_markets, … |
| 命令执行 | NONE | NONE | — | No subprocess, os.system, popen, or any shell command invocation |
| 环境变量 | READ | READ | ✓ 一致 | trader.py:34-45 reads SIMMER_API_KEY and tunable params (SIMMER_MAX_POSITION, et… |
| 技能调用 | NONE | NONE | — | No other skills invoked |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database access |
目录结构
3 文件 · 24.4 KB · 624 行 Python 1f · 427L
Markdown 1f · 102L
JSON 1f · 95L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
simmer-sdk | unpinned | pip | 否 | Declared in SKILL.md and clawhub.json. Unpinned version is a minor supply-chain risk but the package is from Simmer Markets / SpartanLabsXyz |
安全亮点
✓ Defaults to paper trading (venue='sim') — zero financial risk without explicit --live flag
✓ No shell execution, subprocess, or system calls of any kind
✓ No credential harvesting — SIMMER_API_KEY is used only to authenticate to the Simmer SDK, never exfiltrated
✓ Single declared pip dependency: simmer-sdk (from PyPI, version unpinned but from a known vendor)
✓ No obfuscation: plain Python with readable variable names and inline comments
✓ No file system access (no reads/writes anywhere)
✓ No access to sensitive paths such as ~/.ssh, ~/.aws, or .env files
✓ No base64, eval, exec, or dynamic code generation
✓ All capability usage (network via SDK, environment reads) is clearly declared in SKILL.md
✓ No data exfiltration, C2 communication, or outbound network calls outside the declared Polymarket API