polymarket-48h-nba-game-structure-trader Security Report — Low Risk | ClawSafe

15 /100

polymarket-48h-nba-game-structure-trader

Trades structural inconsistencies across correlated NBA game markets on Polymarket by detecting cross-market mispricings

A legitimate NBA game structure arbitrage trading bot using the simmer-sdk; no malicious indicators found. Minor gap: SKILL.md doesn't explicitly declare the network access required by the SDK.

Skill Namepolymarket-48h-nba-game-structure-trader

Duration38.3s

Enginepi

✓

Safe to install

No blocking action needed. Consider adding explicit allowed-tools declarations (network:READ, environment:READ) to SKILL.md for full transparency.

Findings 2 items

Severity	Finding	Location
Low	Missing allowed-tools declaration in SKILL.md Doc Mismatch SKILL.md declares the skill's trading behavior but omits explicit allowed-tools declarations. The code uses network (via simmer-sdk) and environment variable reads (os.environ), which should be declared for transparency. `No allowed-tools section present` → Add an allowed-tools section: Read→filesystem:READ, SimmerClient→network:READ, os.environ.get→environment:READ	`SKILL.md:1`
Low	Unversioned PyPI dependency Supply Chain The skill declares 'simmer-sdk' from PyPI but provides no requirements.txt or equivalent version pin. Version resolution is delegated to pip's defaults. `simmer-sdk by Simmer Markets (SpartanLabsXyz) - PyPI` → Add a requirements.txt with a pinned version (e.g., simmer-sdk==x.y.z) to prevent unexpected updates	`SKILL.md:98`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`READ`	✓ Aligned	trader.py:18 — SimmerClient uses requests to call Polymarket API
Environment	`NONE`	`READ`	✓ Aligned	trader.py:51-59 — os.environ.get(...) reads SIMMER_API_KEY and risk tunables
Filesystem	`NONE`	`NONE`	—	No file read/write operations in the code
Shell	`NONE`	`NONE`	—	No subprocess, no shell commands, no os.system calls
Skill Invoke	`NONE`	`NONE`	—	No recursive skill invocation
Clipboard	`NONE`	`NONE`	—	Not used
Browser	`NONE`	`NONE`	—	Not used
Database	`NONE`	`NONE`	—	Not used

File Tree

3 files · 33.2 KB · 857 lines

Python 1f · 631L Markdown 1f · 139L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.8 KB

├─ 📝 SKILL.md Markdown 139L · 6.3 KB

└─ 🐍 trader.py Python 631L · 25.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip	No	Version not pinned; declared only in SKILL.md

Security Positives

✓ No subprocess, shell, or eval calls — clean execution model

✓ No credential exfiltration — SIMMER_API_KEY is read but only passed to the official SimmerClient

✓ No obfuscation — all code is plain Python, readable

✓ No sensitive path access (~/.ssh, ~/.aws, .env files not touched)

✓ No base64 or encoded payloads

✓ Paper trading (sim) is the default, with explicit --live flag required for real trades

✓ Built-in risk parameters (position limits, spread limits, threshold gates) limit financial exposure

✓ No autostart or cron configuration — skill is demand-driven only

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives