中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
polymarket-celebrity-social-trader
Trades Polymarket prediction markets on celebrity events, viral social media moments, and reality TV outcomes with conviction-based sizing and fan loyalty bias correction.
A legitimate Polymarket trading bot using the simmer-sdk library with clean code, paper-trading defaults, and no suspicious behavior detected.
Skill Namepolymarket-celebrity-social-trader
Duration29.9s
Enginepi
Safe to install
No action needed. The skill operates safely through a documented SDK and defaults to paper trading.

Findings 1 items

Severity Finding Location
Low
Unpinned dependency version Supply Chain
simmer-sdk is not version-pinned in the skill metadata. While the package is from a known source (SpartanLabsXyz), unpinned versions could allow a malicious update to be installed.
"requires": {"pip": ["simmer-sdk"]}
→ Pin to a specific version: "simmer-sdk>=1.0.0,<2.0.0"
 clawhub.json:10
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No file operations in code
Network READ READ ✓ Aligned SDK API calls only via SimmerClient
Shell NONE NONE No subprocess, os.system, or shell commands
Environment READ READ ✓ Aligned Reads SIMMER_API_KEY and tunable SIMMER_* vars only
Skill Invoke NONE NONE No skill-to-skill calls
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database operations

File Tree

3 files · 24.2 KB · 528 lines
Python 1f · 335L Markdown 1f · 125L JSON 1f · 68L
├─ 📋 clawhub.json JSON 68L · 1.1 KB
├─ 📝 SKILL.md Markdown 125L · 7.2 KB
└─ 🐍 trader.py Python 335L · 15.9 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk not pinned PyPI No No version constraint specified in clawhub.json

Security Positives

✓ Clean codebase with no shell execution, subprocess, or os.system calls
✓ Paper trading is the safe default — live trades require explicit --live flag
✓ SDK-only network operations through well-documented SimmerClient
✓ Credential access limited to declared SIMMER_API_KEY
✓ No sensitive file access (~/.ssh, ~/.aws, .env)
✓ No obfuscation, base64, or anti-analysis patterns
✓ Documentation accurately describes code behavior (no doc deception)
✓ Autostart disabled, cron null — no automatic execution without user consent