polymarket-esports-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-esports-trader

Trades esports prediction markets on Polymarket using conviction-based sizing with esports bias multipliers

Legitimate esports prediction market trading skill with clear paper-trading defaults, no shell execution, no credential exfiltration, and accurate documentation.

技能名称polymarket-esports-trader

分析耗时28.1s

引擎pi

✓

可以安装

Approve for use. The skill is safe with paper trading as default (venue=sim) and requires explicit --live flag for real trades.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned simmer-sdk dependency 供应链 SKILL.md declares 'simmer-sdk' without version pinning. While standard for SDKs, version pinning would provide reproducibility guarantees. `simmer-sdk by Simmer Markets (SpartanLabsXyz)` → Consider pinning to a specific version (e.g., simmer-sdk==1.2.3) for reproducible deployments	`SKILL.md:93`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file read/write operations in trader.py
网络访问	`READ`	`READ`	✓ 一致	Uses simmer-sdk API client; Polymarket integration is declared in SKILL.md
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell commands found
环境变量	`READ`	`READ`	✓ 一致	Reads SIMMER_API_KEY and SIMMER_* tunables; all documented in SKILL.md
技能调用	`NONE`	`NONE`	—	No inter-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

目录结构

3 文件 · 27.4 KB · 596 行

Python 1f · 388L Markdown 1f · 135L JSON 1f · 73L

├─ 📋 clawhub.json JSON 73L · 1.2 KB

├─ 📝 SKILL.md Markdown 135L · 7.7 KB

└─ 🐍 trader.py Python 388L · 18.5 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned; SDK by Simmer Markets (SpartanLabsXyz) for Polymarket trading

安全亮点

✓ Paper trading is the safe default (venue=sim) — no financial risk without --live flag

✓ No shell execution (no subprocess, os.system, or shell commands)

✓ No credential exfiltration — SIMMER_API_KEY only used for SimmerClient authentication

✓ Documentation accurately reflects code behavior — no doc-to-code mismatch

✓ No sensitive file access (no ~/.ssh, ~/.aws, .env reads)

✓ No obfuscation or base64-encoded payloads

✓ No hidden functionality — code is readable and straightforward

✓ All tunable parameters are declared in clawhub.json and documented in SKILL.md

✓ Financial safeguards implemented: MAX_POSITION, MIN_VOLUME, MAX_SPREAD, MIN_DAYS gates