中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
polymarket-candle-harami-trader
Detects harami candlestick patterns on Polymarket crypto 5-minute interval markets and trades expected reversals with conviction-based sizing.
A legitimate Polymarket harami candlestick pattern trading skill with clean, documented behavior and no malicious indicators.
Skill Namepolymarket-candle-harami-trader
Duration35.2s
Enginepi
Safe to install
Approve for use. The skill performs exactly as documented: paper trading by default, credential-based API access via a declared SDK dependency, and no filesystem or shell operations.

Findings 1 items

Severity Finding Location
Low
Unpinned simmer-sdk dependency Supply Chain
clawhub.json declares 'simmer-sdk' without a version constraint, allowing any version to be installed. A compromised or backdoored future version could introduce risk.
"pip": ["simmer-sdk"]
→ Pin to a specific version or version range: e.g., "simmer-sdk>=1.0.0,<2.0.0"
 clawhub.json:3
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No file read/write operations. Standard library only except simmer-sdk.
Network READ READ ✓ Aligned SimmerClient (simmer-sdk) makes API calls to Polymarket; declared in SKILL.md de…
Shell NONE NONE No subprocess, os.system, or shell command execution in trader.py
Environment READ READ ✓ Aligned Reads SIMMER_API_KEY and 10 SIMMER_* tunables; all declared in SKILL.md Required…
Skill Invoke NONE NONE No inter-skill invocation
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access

File Tree

3 files · 22.4 KB · 563 lines
Python 1f · 373L Markdown 1f · 95L JSON 1f · 95L
├─ 📋 clawhub.json JSON 95L · 2.1 KB
├─ 📝 SKILL.md Markdown 95L · 6.4 KB
└─ 🐍 trader.py Python 373L · 13.9 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk unpinned pip (PyPI) No No version constraint specified — any version will be installed

Security Positives

✓ Paper trading by default (venue='sim') eliminates financial risk without --live flag
✓ No subprocess, shell execution, or eval calls anywhere in the codebase
✓ No file system writes or sensitive path access (~/.ssh, ~/.aws, .env, etc.)
✓ No base64, obfuscation, or anti-analysis patterns
✓ No hidden functionality — code behavior matches SKILL.md documentation precisely
✓ No curl|bash or wget|sh remote script execution
✓ SIMMER_API_KEY is used only to initialize SimmerClient, not exfiltrated
✓ Network access is SDK-mediated and scoped to Polymarket trading API
✓ autostart=false and cron=null prevent silent automated execution