Scan Report
5 /100
polymarket-24h-equity-strike-trader
Trades structural mispricings in equity/stock price-threshold markets by reconstructing the implied probability curve across strike levels and detecting monotonicity breaks and range-sum inconsistencies.
A legitimate Polymarket trading bot that detects probability-curve violations in equity strike-ladder markets using the simmer-sdk. Defaults to paper trading, only reads declared environment variables, and performs no obfuscation, credential harvesting, or undeclared network/file/shell access.
Safe to install
This skill is safe to use. No security concerns identified. Ensure SIMMER_API_KEY is stored securely (e.g., secret manager, not .env committed to source).
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Environment | READ | READ | ✓ Aligned | trader.py:27-40 (os.environ.get for SIMMER_API_KEY + 9 tunables) |
| Network | READ | READ | ✓ Aligned | trader.py:44-57 (SimmerClient with venue='polymarket' or 'sim') |
| Shell | NONE | NONE | — | No subprocess/os.system/eval calls in trader.py |
| Filesystem | NONE | NONE | — | No open()/write()/read() file operations in trader.py |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database operations |
| Skill Invoke | NONE | NONE | — | No nested skill invocation |
File Tree
3 files · 29.7 KB · 785 lines Python 1f · 567L
Markdown 1f · 131L
JSON 1f · 87L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | latest | PyPI | No | Hosted on pypi.org by SpartanLabsXyz; version pinning recommended for reproducibility |
Security Positives
✓ Paper trading (venue='sim') is the default — zero financial risk out of the box
✓ Explicit --live flag required for real trades, clearly documented in SKILL.md and trader.py
✓ Only reads declared environment variables; no iteration over os.environ for credential discovery
✓ No obfuscation (no base64, no eval, no atob patterns)
✓ No shell execution, subprocess, or direct network calls — all via trusted simmer-sdk
✓ No sensitive path access (~/.ssh, ~/.aws, .env files)
✓ No credential exfiltration or data leakage patterns
✓ Risk parameters (position limits, thresholds) are tunable and documented
✓ Autostart=false and cron=null prevent silent unattended execution
✓ Dependencies are a single well-named PyPI package (simmer-sdk)