中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
polymarket-bundle-crypto-fade-trader
Fades strong directional crypto moves on Polymarket 5-minute interval markets using conviction-based position sizing after detecting momentum streaks.
Legitimate Polymarket momentum fade trading bot with thorough documentation, safe defaults (paper mode), and no malicious behavior found.
技能名称polymarket-bundle-crypto-fade-trader
分析耗时56.0s
引擎pi
可以安装
Safe to use. Pin simmer-sdk to a specific version in a requirements.txt or deployment script before production use.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned simmer-sdk dependency 供应链
SKILL.md declares 'pip install simmer-sdk' without a version constraint. A typosquatting or compromised package with this name could be installed instead of the legitimate one from SpartanLabsXyz.
simmer-sdk
→ Pin to a specific version in a requirements.txt or use 'pip install simmer-sdk==X.Y.Z' in deployment scripts.
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file reads or writes in trader.py
网络访问 NONE READ ✓ 一致 SimmerClient (trader.py:60) makes Polymarket API calls for market data and trade…
命令执行 NONE NONE No subprocess/eval calls in trader.py
环境变量 NONE READ ✓ 一致 Reads only SIMMER_* prefixed config vars (trader.py:27-38) for legitimate tradin…
技能调用 NONE NONE No cross-skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access

目录结构

3 文件 · 21.9 KB · 540 行
Python 1f · 353L JSON 1f · 95L Markdown 1f · 92L
├─ 📋 clawhub.json JSON 95L · 2.1 KB
├─ 📝 SKILL.md Markdown 92L · 6.4 KB
└─ 🐍 trader.py Python 353L · 13.3 KB

依赖分析 1 项

包名版本来源已知漏洞备注
simmer-sdk unpinned pip (PyPI) No version constraint in SKILL.md; recommend pinning to a specific version

安全亮点

✓ No subprocess, shell, or command execution calls
✓ No obfuscation (base64, eval, exec, or dynamic code loading)
✓ No credential harvesting beyond the skill's own API key
✓ No data exfiltration or C2 communication
✓ No sensitive file path access (~/.ssh, ~/.aws, .env, etc.)
✓ SKILL.md documentation is thorough and accurately describes all behavior
✓ Safe default: paper trading (sim mode) unless --live flag is explicitly passed
✓ API key only used for SimmerClient authentication, not exfiltrated
✓ autostart=false and cron=null prevent automatic execution
✓ Comprehensive risk parameters (MAX_POSITION, MAX_SPREAD, MIN_DAYS, etc.) with documented defaults
✓ All os.environ reads are limited to SIMMER_* prefixed variables used for trading configuration