polymarket-bundle-crypto-fade-trader Security Report — Low Risk | ClawSafe

15 /100

polymarket-bundle-crypto-fade-trader

Fades strong directional crypto moves on Polymarket 5-minute interval markets using conviction-based position sizing after detecting momentum streaks.

Legitimate Polymarket momentum fade trading bot with thorough documentation, safe defaults (paper mode), and no malicious behavior found.

Skill Namepolymarket-bundle-crypto-fade-trader

Duration56.0s

Enginepi

✓

Safe to install

Safe to use. Pin simmer-sdk to a specific version in a requirements.txt or deployment script before production use.

Findings 1 items

Severity	Finding	Location
Low	Unpinned simmer-sdk dependency Supply Chain SKILL.md declares 'pip install simmer-sdk' without a version constraint. A typosquatting or compromised package with this name could be installed instead of the legitimate one from SpartanLabsXyz. `simmer-sdk` → Pin to a specific version in a requirements.txt or use 'pip install simmer-sdk==X.Y.Z' in deployment scripts.	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file reads or writes in trader.py
Network	`NONE`	`READ`	✓ Aligned	SimmerClient (trader.py:60) makes Polymarket API calls for market data and trade…
Shell	`NONE`	`NONE`	—	No subprocess/eval calls in trader.py
Environment	`NONE`	`READ`	✓ Aligned	Reads only SIMMER_* prefixed config vars (trader.py:27-38) for legitimate tradin…
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

File Tree

3 files · 21.9 KB · 540 lines

Python 1f · 353L JSON 1f · 95L Markdown 1f · 92L

├─ 📋 clawhub.json JSON 95L · 2.1 KB

├─ 📝 SKILL.md Markdown 92L · 6.4 KB

└─ 🐍 trader.py Python 353L · 13.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`unpinned`	pip (PyPI)	No	No version constraint in SKILL.md; recommend pinning to a specific version

Security Positives

✓ No subprocess, shell, or command execution calls

✓ No obfuscation (base64, eval, exec, or dynamic code loading)

✓ No credential harvesting beyond the skill's own API key

✓ No data exfiltration or C2 communication

✓ No sensitive file path access (~/.ssh, ~/.aws, .env, etc.)

✓ SKILL.md documentation is thorough and accurately describes all behavior

✓ Safe default: paper trading (sim mode) unless --live flag is explicitly passed

✓ API key only used for SimmerClient authentication, not exfiltrated

✓ autostart=false and cron=null prevent automatic execution

✓ Comprehensive risk parameters (MAX_POSITION, MAX_SPREAD, MIN_DAYS, etc.) with documented defaults

✓ All os.environ reads are limited to SIMMER_* prefixed variables used for trading configuration

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives