polymarket-twitter-cadence-model-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-twitter-cadence-model-trader

Trades Twitter/X and Truth Social post-count bin markets using a Poisson statistical model

A legitimate Polymarket trading skill using a Poisson statistical model for Twitter post-count bin markets. All capabilities are declared, safe-by-default paper trading is enforced, and no malicious behavior was found.

技能名称polymarket-twitter-cadence-model-trader

分析耗时34.5s

引擎pi

✓

可以安装

This skill is safe to use. No security issues detected. The only minor improvement would be pinning the simmer-sdk version in requirements.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned simmer-sdk version 供应链 clawhub.json declares 'simmer-sdk' without a version pin in requires.pip, which could allow a dependency to silently update to a compromised version. `"pip": ["simmer-sdk"]` → Pin to a specific version, e.g. "simmer-sdk==1.2.3", and periodically review for updates.	`clawhub.json:5`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem read/write operations found in trader.py
网络访问	`READ`	`READ`	✓ 一致	All network calls go through SimmerClient from simmer-sdk, documented in SKILL.m…
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell command execution in trader.py
环境变量	`READ`	`READ`	✓ 一致	os.environ.get("SIMMER_...") only reads skill tunables and API key, all document…
技能调用	`EXECUTE`	`EXECUTE`	✓ 一致	SimmerClient.apply_skill_config() and trade() are the core execution path
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser automation found
数据库	`NONE`	`NONE`	—	No database access found

2 项发现

🔗

中危外部 URL 外部 URL

https://simmer.markets/skills

SKILL.md:10

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:122

目录结构

3 文件 · 18.5 KB · 503 行

Python 1f · 296L Markdown 1f · 124L JSON 1f · 83L

├─ 📋 clawhub.json JSON 83L · 1.6 KB

├─ 📝 SKILL.md Markdown 124L · 5.1 KB

└─ 🐍 trader.py Python 296L · 11.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	PyPI	否	Version not pinned; only dependency

安全亮点

✓ Safe-by-default design: paper trading (venue=sim) is the default; --live flag is required for real trades

✓ No credential exfiltration: API key is only used locally within SimmerClient constructor

✓ No shell execution: No subprocess, os.system, or popen calls found

✓ No sensitive path access: No reads of ~/.ssh, ~/.aws, .env, or similar credential paths

✓ No obfuscation: No base64, eval, or dynamic code generation

✓ No data exfiltration: All network calls are through the documented simmer-sdk API

✓ Complete documentation: SKILL.md accurately describes all behavior including trade modes and credential requirements

✓ No hidden functionality: All logic (Poisson model, market discovery, trading) matches stated purpose

✓ Clear financial safeguards: MAX_POSITION=$40, MIN_VOLUME=$1000, spread checks, and position limits are all declared