Scan Report
15 /100
polymarket-equity-markets-trader
Trades Polymarket prediction markets on stock index milestones, IPOs, earnings surprises, and company-specific financial events
A legitimate Polymarket trading bot using the simmer-sdk SDK with no malicious behavior detected. The skill safely defaults to paper trading mode and has clear documentation matching implementation.
Safe to install
This skill is safe to use. Verify the simmer-sdk package integrity by checking its PyPI page and consider pinning a specific version for reproducibility.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Third-party SDK dependency Supply Chain | clawhub.json:1 |
| Info | Credential environment variable Sensitive Access | trader.py:68 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | Uses SimmerClient API calls to Polymarket |
| Environment | READ | READ | ✓ Aligned | os.environ.get() for configuration only |
| Shell | NONE | NONE | — | No subprocess or shell execution found |
| Filesystem | NONE | NONE | — | No file read/write operations |
File Tree
3 files · 28.4 KB · 578 lines Python 1f · 375L
Markdown 1f · 130L
JSON 1f · 73L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | * | pip | No | Latest version from PyPI, source not bundled for audit |
Security Positives
✓ Paper trading is the safe default mode - no real trades without explicit --live flag
✓ SKILL.md documentation is comprehensive and accurately describes implementation
✓ No shell execution or subprocess calls detected
✓ No obfuscation techniques (base64, eval, atob) found
✓ No credential harvesting beyond what's needed for the trading API
✓ No hidden functionality or shadow behavior
✓ Explicit cron/autostart: null prevents automatic execution
✓ Code is clean, well-commented, and follows Python best practices