polymarket-esports-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-esports-trader

Trades esports prediction markets on Polymarket using conviction-based sizing with esports bias multipliers

Legitimate esports prediction market trading skill with clear paper-trading defaults, no shell execution, no credential exfiltration, and accurate documentation.

Skill Namepolymarket-esports-trader

Duration28.1s

Enginepi

✓

Safe to install

Approve for use. The skill is safe with paper trading as default (venue=sim) and requires explicit --live flag for real trades.

Findings 1 items

Severity	Finding	Location
Low	Unpinned simmer-sdk dependency Supply Chain SKILL.md declares 'simmer-sdk' without version pinning. While standard for SDKs, version pinning would provide reproducibility guarantees. `simmer-sdk by Simmer Markets (SpartanLabsXyz)` → Consider pinning to a specific version (e.g., simmer-sdk==1.2.3) for reproducible deployments	`SKILL.md:93`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file read/write operations in trader.py
Network	`READ`	`READ`	✓ Aligned	Uses simmer-sdk API client; Polymarket integration is declared in SKILL.md
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell commands found
Environment	`READ`	`READ`	✓ Aligned	Reads SIMMER_API_KEY and SIMMER_* tunables; all documented in SKILL.md
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

File Tree

3 files · 27.4 KB · 596 lines

Python 1f · 388L Markdown 1f · 135L JSON 1f · 73L

├─ 📋 clawhub.json JSON 73L · 1.2 KB

├─ 📝 SKILL.md Markdown 135L · 7.7 KB

└─ 🐍 trader.py Python 388L · 18.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip	No	Version not pinned; SDK by Simmer Markets (SpartanLabsXyz) for Polymarket trading

Security Positives

✓ Paper trading is the safe default (venue=sim) — no financial risk without --live flag

✓ No shell execution (no subprocess, os.system, or shell commands)

✓ No credential exfiltration — SIMMER_API_KEY only used for SimmerClient authentication

✓ Documentation accurately reflects code behavior — no doc-to-code mismatch

✓ No sensitive file access (no ~/.ssh, ~/.aws, .env reads)

✓ No obfuscation or base64-encoded payloads

✓ No hidden functionality — code is readable and straightforward

✓ All tunable parameters are declared in clawhub.json and documented in SKILL.md

✓ Financial safeguards implemented: MAX_POSITION, MIN_VOLUME, MAX_SPREAD, MIN_DAYS gates

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives