polymarket-music-entertainment-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-music-entertainment-trader

Trades Polymarket prediction markets on music streaming milestones, album chart performance, Grammy nominations, and entertainment deals.

Legitimate Polymarket trading bot with well-documented paper trading default, clean code, and no malicious indicators.

技能名称polymarket-music-entertainment-trader

分析耗时33.0s

引擎pi

✓

可以安装

Safe to use. The skill implements clear trading logic with appropriate safeguards (paper mode default, --live flag requirement for real trades).

安全发现 1 项

严重性	安全发现	位置
低危	Dependency version not pinned 供应链 The simmer-sdk dependency in clawhub.json does not specify a version, which could lead to unexpected behavior if the package changes in future releases. `"pip": ["simmer-sdk"]` → Pin to a specific version (e.g., "simmer-sdk>=1.0.0") to ensure reproducible behavior.	`clawhub.json:4`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in trader.py
网络访问	`READ`	`READ`	✓ 一致	API calls only through simmer-sdk to Polymarket, documented in SKILL.md
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution detected
环境变量	`READ`	`READ`	✓ 一致	Reads SIMMER_API_KEY and SIMMER_* tunables, all documented in SKILL.md
技能调用	`NONE`	`NONE`	—	No skill invocation capabilities
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

5 项发现

🔗

中危外部 URL 外部 URL

https://charts.spotify.com/charts/overview/global

SKILL.md:95

🔗

中危外部 URL 外部 URL

https://www.billboard.com/charts/

SKILL.md:96

🔗

中危外部 URL 外部 URL

https://chartmetric.com/

SKILL.md:97

🔗

中危外部 URL 外部 URL

https://www.riaa.com/gold-platinum/

SKILL.md:98

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:150

目录结构

3 文件 · 18.8 KB · 466 行

Python 1f · 241L Markdown 1f · 152L JSON 1f · 73L

├─ 📋 clawhub.json JSON 73L · 1.2 KB

├─ 📝 SKILL.md Markdown 152L · 7.3 KB

└─ 🐍 trader.py Python 241L · 10.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned; published by Simmer Markets ([email protected])

安全亮点

✓ Paper trading default (venue="sim") ensures zero financial risk unless --live flag is explicitly passed

✓ No shell execution or subprocess calls detected

✓ No credential exfiltration - SIMMER_API_KEY only used for API authentication

✓ Clean, readable code with no obfuscation or base64-encoded payloads

✓ No sensitive file/path access (no ~/.ssh, ~/.aws, .env access)

✓ Cron disabled by default (autostart: false, cron: null)

✓ Clear documentation of all capabilities and dependencies

✓ Doc-to-code alignment: all functionality declared in SKILL.md matches implementation