中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
polymarket-candle-morning-star-trader
Trades crypto 'Up or Down' 5-minute interval markets on Polymarket by detecting Morning Star/Evening Star candlestick reversal patterns
Legitimate Polymarket trading bot with clear Morning Star/Evening Star candlestick pattern detection. Defaults to paper trading with robust safety controls. No malicious behavior detected.
Skill Namepolymarket-candle-morning-star-trader
Duration28.8s
Enginepi
Safe to install
Skill is safe to use. Ensure SIMMER_API_KEY is properly secured and only use --live flag when intentional real trading is desired.

Findings 1 items

Severity Finding Location
Low
Missing allowed-tools declaration Doc Mismatch
SKILL.md and clawhub.json do not declare an allowed-tools mapping. However, the code only uses environment variable reads and an SDK API call with no shell or filesystem access.
No allowed-tools field present
→ Add explicit allowed-tools declaration to clawhub.json for transparency: {env: ['SIMMER_*'], api: ['simmer-sdk']}
 clawhub.json:1
ResourceDeclaredInferredStatusEvidence
Environment READ READ ✓ Aligned trader.py:67-81 reads SIMMER_* env vars
Network READ READ ✓ Aligned trader.py:68 SimmerClient connects to Polymarket API
Filesystem NONE NONE No file operations in code
Shell NONE NONE No subprocess/shell execution found

File Tree

3 files · 24.5 KB · 619 lines
Python 1f · 421L Markdown 1f · 103L JSON 1f · 95L
├─ 📋 clawhub.json JSON 95L · 2.0 KB
├─ 📝 SKILL.md Markdown 103L · 6.4 KB
└─ 🐍 trader.py Python 421L · 16.1 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk * pip No Version not pinned in requirements, but sourced from PyPI with established maintainer

Security Positives

✓ Defaults to paper trading (venue='sim'), zero financial risk by default
✓ Real trades require explicit --live flag, preventing accidental live execution
✓ No shell execution (subprocess, curl|bash, wget|sh)
✓ No sensitive file access (~/.ssh, ~/.aws, .env)
✓ No obfuscation (base64, eval, encoded payloads)
✓ No credential exfiltration to external endpoints
✓ Clear, well-documented candlestick pattern logic
✓ Built on reputable simmer-sdk from SpartanLabsXyz with pinned PyPI dependency
✓ Safety guards: flip-flop detection, slippage checks, spread limits
✓ Credential (SIMMER_API_KEY) used only for Polymarket API authentication