polymarket-48h-price-curve-arb-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-48h-price-curve-arb-trader

Trades structural mispricings in crypto price-threshold markets on Polymarket by reconstructing the implied probability distribution curve

Legitimate Polymarket arbitrage trading skill with well-documented behavior, paper-trading defaults, and no malicious or exfiltration-capable code.

Skill Namepolymarket-48h-price-curve-arb-trader

Duration29.5s

Enginepi

✓

Safe to install

This skill is safe to use. Ensure SIMMER_API_KEY is stored securely and pip install pins simmer-sdk to a specific version before production deployment.

Findings 1 items

Severity	Finding	Location
Low	Unpinned external dependency Supply Chain simmer-sdk is declared as a dependency but has no version pin in clawhub.json. This allows a supply-chain update to silently change behavior. `"pip": ["simmer-sdk"]` → Pin to a specific version, e.g., "simmer-sdk==1.2.3", and verify the package hash if available.	`clawhub.json:4`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	trader.py:client.find_markets() via simmer-sdk
Environment	`READ`	`READ`	✓ Aligned	trader.py:os.environ[...] for SIMMER_* vars
Filesystem	`NONE`	`NONE`	—	No file I/O in trader.py
Shell	`NONE`	`NONE`	—	No subprocess/os.system calls found
Skill Invoke	`NONE`	`NONE`	—	No skill invocation found
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser automation found
Database	`NONE`	`NONE`	—	No database access found

File Tree

3 files · 25.3 KB · 684 lines

Python 1f · 475L Markdown 1f · 122L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.8 KB

├─ 📝 SKILL.md Markdown 122L · 5.2 KB

└─ 🐍 trader.py Python 475L · 18.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip	No	Version not pinned — low risk, external SDK from SpartanLabsXyz

Security Positives

✓ All behavior is explicitly declared in SKILL.md — no hidden functionality

✓ Paper-trading (sim) is the default mode; --live flag is required for real trades

✓ No subprocess, shell execution, or direct network calls outside the SDK

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No obfuscation, base64 execution, or anti-analysis techniques

✓ Credential (SIMMER_API_KEY) is read-only to authorize SDK calls — not exfiltrated

✓ No cron/automaton autostart; autostart is false by design

✓ Code is clean, readable, and well-structured with no suspicious patterns

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives