中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
polymarket-twitter-cadence-model-trader
Trades Twitter/X and Truth Social post-count bin markets using a Poisson statistical model
A legitimate Polymarket trading skill using a Poisson statistical model for Twitter post-count bin markets. All capabilities are declared, safe-by-default paper trading is enforced, and no malicious behavior was found.
Skill Namepolymarket-twitter-cadence-model-trader
Duration34.5s
Enginepi
Safe to install
This skill is safe to use. No security issues detected. The only minor improvement would be pinning the simmer-sdk version in requirements.

Findings 1 items

Severity Finding Location
Low
Unpinned simmer-sdk version Supply Chain
clawhub.json declares 'simmer-sdk' without a version pin in requires.pip, which could allow a dependency to silently update to a compromised version.
"pip": ["simmer-sdk"]
→ Pin to a specific version, e.g. "simmer-sdk==1.2.3", and periodically review for updates.
 clawhub.json:5
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No filesystem read/write operations found in trader.py
Network READ READ ✓ Aligned All network calls go through SimmerClient from simmer-sdk, documented in SKILL.m…
Shell NONE NONE No subprocess, os.system, or shell command execution in trader.py
Environment READ READ ✓ Aligned os.environ.get("SIMMER_...") only reads skill tunables and API key, all document…
Skill Invoke EXECUTE EXECUTE ✓ Aligned SimmerClient.apply_skill_config() and trade() are the core execution path
Clipboard NONE NONE No clipboard access found
Browser NONE NONE No browser automation found
Database NONE NONE No database access found
2 findings
🔗
Medium External URL 外部 URL
https://simmer.markets/skills
SKILL.md:10
📧
Info Email 邮箱地址
[email protected]
SKILL.md:122

File Tree

3 files · 18.5 KB · 503 lines
Python 1f · 296L Markdown 1f · 124L JSON 1f · 83L
├─ 📋 clawhub.json JSON 83L · 1.6 KB
├─ 📝 SKILL.md Markdown 124L · 5.1 KB
└─ 🐍 trader.py Python 296L · 11.9 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk * PyPI No Version not pinned; only dependency

Security Positives

✓ Safe-by-default design: paper trading (venue=sim) is the default; --live flag is required for real trades
✓ No credential exfiltration: API key is only used locally within SimmerClient constructor
✓ No shell execution: No subprocess, os.system, or popen calls found
✓ No sensitive path access: No reads of ~/.ssh, ~/.aws, .env, or similar credential paths
✓ No obfuscation: No base64, eval, or dynamic code generation
✓ No data exfiltration: All network calls are through the documented simmer-sdk API
✓ Complete documentation: SKILL.md accurately describes all behavior including trade modes and credential requirements
✓ No hidden functionality: All logic (Poisson model, market discovery, trading) matches stated purpose
✓ Clear financial safeguards: MAX_POSITION=$40, MIN_VOLUME=$1000, spread checks, and position limits are all declared