polymarket-twitter-cross-contagion-trader Security Report — Low Risk | ClawSafe

15 /100

polymarket-twitter-cross-contagion-trader

Trades post-count bin markets by detecting cross-person contagion where one public figure posting heavily causes correlated figures to increase their rate.

A legitimate Polymarket trading bot with proper safety defaults; paper trading is enforced without --live, credential usage is confined to local SDK calls, and no malicious behavior was detected.

Skill Namepolymarket-twitter-cross-contagion-trader

Duration30.7s

Enginepi

✓

Safe to install

Pin the simmer-sdk version in requirements to mitigate supply chain risk. Otherwise, the skill is safe for use.

Findings 1 items

Severity	Finding	Location
Low	Unpinned simmer-sdk dependency Supply Chain The skill declares 'requires_pip: simmer-sdk' but specifies no version constraint. Installing without a pin means pip fetches the latest release, which could be replaced or compromised. `"requires": { "pip": ["simmer-sdk"] }` → Pin to a specific version, e.g., 'simmer-sdk==1.2.3', and verify the hash if possible. Review the SDK source at https://github.com/SpartanLabsXyz/simmer-sdk before deploying with live credentials.	`clawhub.json:5`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file read/write operations found
Network	`READ`	`READ`	✓ Aligned	SimmerClient API calls to api.simmer.markets (declared)
Shell	`NONE`	`NONE`	—	No subprocess/os.system/eval calls
Environment	`READ`	`READ`	✓ Aligned	Reads SIMMER_API_KEY and SIMMER_* tunables only
Skill Invoke	`NONE`	`NONE`	—	N/A
Clipboard	`NONE`	`NONE`	—	N/A
Browser	`NONE`	`NONE`	—	N/A
Database	`NONE`	`NONE`	—	N/A

2 findings

🔗

Medium External URL 外部 URL

https://simmer.markets/skills

SKILL.md:10

📧

Info Email 邮箱地址

[email protected]

SKILL.md:119

File Tree

3 files · 17.9 KB · 502 lines

Python 1f · 298L Markdown 1f · 121L JSON 1f · 83L

├─ 📋 clawhub.json JSON 83L · 1.6 KB

├─ 📝 SKILL.md Markdown 121L · 5.1 KB

└─ 🐍 trader.py Python 298L · 11.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip	No	Version not pinned; published by [email protected] on PyPI

Security Positives

✓ Paper trading is the hardcoded default; real trades require explicit --live flag

✓ No shell execution, subprocess, or eval calls

✓ No credential exfiltration; SIMMER_API_KEY is used only for local SimmerClient auth

✓ No sensitive path access (~/.ssh, ~/.aws, .env files are not touched)

✓ No base64, obfuscation, or hidden HTML instructions

✓ autostart=false and cron=null prevent unattended execution

✓ Documentation accurately describes all behavior and safety mechanisms

✓ Risk parameters are tunable via SIMMER_* env vars, keeping credentials isolated

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives