Scan Report
0 /100
polymarket-twitter-bin-decay-trader
Trades post-count bin markets by tracking elapsed time to identify mathematically dead bins that still hold residual probability
A legitimate Polymarket trading bot that uses elapsed-time math to trade post-count bin markets, with safe paper-trading defaults and no malicious indicators found.
Safe to install
No action needed. The skill is safe to use. Ensure SIMMER_API_KEY is kept private and only enable --live trading in controlled environments.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | trader.py:1-6 — no file open/write calls |
| Network | READ | READ | ✓ Aligned | trader.py:7 — uses simmer-sdk for API calls to Polymarket (declared in SKILL.md) |
| Shell | NONE | NONE | — | trader.py — no subprocess/os.system calls |
| Environment | READ | READ | ✓ Aligned | trader.py:30-36 — reads SIMMER_* vars (declared in SKILL.md and clawhub.json) |
| Skill Invoke | NONE | NONE | — | No skill invocation mechanisms present |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser/web automation |
| Database | NONE | NONE | — | No database connections |
2 findings
Medium External URL 外部 URL
https://simmer.markets/skills SKILL.md:10 Info Email 邮箱地址
[email protected] SKILL.md:124 File Tree
3 files · 19.2 KB · 529 lines Python 1f · 320L
Markdown 1f · 126L
JSON 1f · 83L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | unspecified | pip | No | Published on PyPI by Simmer Markets; version not pinned in requirements |
Security Positives
✓ Safe-by-default design: paper trading (venue=sim) is the default; live trading requires explicit --live flag
✓ All required credentials (SIMMER_API_KEY) and dependencies (simmer-sdk) are declared in SKILL.md and clawhub.json
✓ No obfuscation, no base64, no eval(), no dynamic code generation
✓ No network connections to external IPs beyond the documented simmer-sdk API endpoint
✓ No sensitive path access (~/.ssh, ~/.aws, .env, etc.)
✓ No credential exfiltration — API key is used only for Polymarket authentication via the SDK
✓ Uses only Python standard library + one documented third-party SDK from a known publisher
✓ Risk parameters are tunable via env vars and configurable from Simmer UI without code changes
✓ Code is straightforward, readable trading logic with no hidden functionality
✓ Automaton autostart is false, cron is null — skill does not auto-execute on install