polymarket-48h-nba-game-structure-trader 安全扫描报告 — 低风险 | ClawSafe

15 /100

polymarket-48h-nba-game-structure-trader

Trades structural inconsistencies across correlated NBA game markets on Polymarket by detecting cross-market mispricings

A legitimate NBA game structure arbitrage trading bot using the simmer-sdk; no malicious indicators found. Minor gap: SKILL.md doesn't explicitly declare the network access required by the SDK.

技能名称polymarket-48h-nba-game-structure-trader

分析耗时38.3s

引擎pi

✓

可以安装

No blocking action needed. Consider adding explicit allowed-tools declarations (network:READ, environment:READ) to SKILL.md for full transparency.

安全发现 2 项

严重性	安全发现	位置
低危	Missing allowed-tools declaration in SKILL.md 文档欺骗 SKILL.md declares the skill's trading behavior but omits explicit allowed-tools declarations. The code uses network (via simmer-sdk) and environment variable reads (os.environ), which should be declared for transparency. `No allowed-tools section present` → Add an allowed-tools section: Read→filesystem:READ, SimmerClient→network:READ, os.environ.get→environment:READ	`SKILL.md:1`
低危	Unversioned PyPI dependency 供应链 The skill declares 'simmer-sdk' from PyPI but provides no requirements.txt or equivalent version pin. Version resolution is delegated to pip's defaults. `simmer-sdk by Simmer Markets (SpartanLabsXyz) - PyPI` → Add a requirements.txt with a pinned version (e.g., simmer-sdk==x.y.z) to prevent unexpected updates	`SKILL.md:98`

资源类型	声明权限	推断权限	状态	证据
网络访问	`NONE`	`READ`	✓ 一致	trader.py:18 — SimmerClient uses requests to call Polymarket API
环境变量	`NONE`	`READ`	✓ 一致	trader.py:51-59 — os.environ.get(...) reads SIMMER_API_KEY and risk tunables
文件系统	`NONE`	`NONE`	—	No file read/write operations in the code
命令执行	`NONE`	`NONE`	—	No subprocess, no shell commands, no os.system calls
技能调用	`NONE`	`NONE`	—	No recursive skill invocation
剪贴板	`NONE`	`NONE`	—	Not used
浏览器	`NONE`	`NONE`	—	Not used
数据库	`NONE`	`NONE`	—	Not used

目录结构

3 文件 · 33.2 KB · 857 行

Python 1f · 631L Markdown 1f · 139L JSON 1f · 87L

├─ 📋 clawhub.json JSON 87L · 1.8 KB

├─ 📝 SKILL.md Markdown 139L · 6.3 KB

└─ 🐍 trader.py Python 631L · 25.2 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned; declared only in SKILL.md

安全亮点

✓ No subprocess, shell, or eval calls — clean execution model

✓ No credential exfiltration — SIMMER_API_KEY is read but only passed to the official SimmerClient

✓ No obfuscation — all code is plain Python, readable

✓ No sensitive path access (~/.ssh, ~/.aws, .env files not touched)

✓ No base64 or encoded payloads

✓ Paper trading (sim) is the default, with explicit --live flag required for real trades

✓ Built-in risk parameters (position limits, spread limits, threshold gates) limit financial exposure

✓ No autostart or cron configuration — skill is demand-driven only