中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 10/100
Last scan:2 days ago Rescan
10 /100
kalshi-crypto-monotonicity-trader
Enforces monotonicity constraints on crypto price-level markets on Kalshi. Trades violations by buying underpriced lower-threshold contracts and selling overpriced higher-threshold ones.
A legitimate Kalshi crypto arbitrage trading bot with no malicious indicators. Minor documentation inconsistencies around credential declarations are the only noteworthy issues.
Skill Namekalshi-crypto-monotonicity-trader
Duration50.5s
Enginepi
Safe to install
Approve for use. The skill's behavior is fully consistent with its stated purpose of enforcing monotonicity constraints on Kalshi prediction markets. Users should keep SIMMER_API_KEY and SOLANA_PRIVATE_KEY credentials private as documented.

Findings 3 items

Severity Finding Location
Low
SOLANA_PRIVATE_KEY not declared in requires.env
clawhub.json only declares SIMMER_API_KEY in its requires.env list, but SKILL.md mentions both SIMMER_API_KEY and SOLANA_PRIVATE_KEY as required environment variables. The code reads both (trader.py:161-166). This is a documentation inconsistency rather than a security issue, as the credential is legitimately needed for live trading.
"env": ["SIMMER_API_KEY"]
→ Add "SOLANA_PRIVATE_KEY" to the requires.env array in clawhub.json to match SKILL.md.
 clawhub.json:6
Low
Optional cross-skill tradejournal import not declared
The skill attempts to import tradejournal from either the top-level or skills namespace with a silent fallback. This is a cross-skill invocation capability (skill_invoke:READ) that is not declared in SKILL.md or capability declarations.
from tradejournal import log_trade  # try 1, then skills.tradejournal
→ Declare tradejournal as an optional skill dependency in SKILL.md if this integration is intentional.
 trader.py:33
Low
simmer-sdk dependency not version-pinned
The skill depends on simmer-sdk from PyPI without a pinned version. This leaves the installation open to upstream changes.
requires_pip: "simmer-sdk"
→ Pin to a specific version (e.g., simmer-sdk>=1.0.0,<2.0.0) to ensure reproducible behavior.
 SKILL.md:118
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned trader.py:89 - load_config writes config files via simmer_sdk
Network READ READ ✓ Aligned trader.py:200-207 - GET /api/sdk/markets and /api/sdk/positions
Shell NONE NONE No subprocess or shell execution found in codebase
Environment READ READ ✓ Aligned trader.py:161 - os.environ.get('SIMMER_API_KEY')
Skill Invoke NONE READ ✓ Aligned trader.py:33-38 - attempts optional import from skills.tradejournal
Clipboard NONE NONE Not used
Browser NONE NONE Not used
Database NONE NONE Not used
2 findings
🔗
Medium External URL 外部 URL
https://simmer.markets/skills
SKILL.md:10
📧
Info Email 邮箱地址
[email protected]
SKILL.md:118

File Tree

3 files · 32.9 KB · 892 lines
Python 1f · 687L Markdown 1f · 120L JSON 1f · 85L
├─ 📋 clawhub.json JSON 85L · 1.6 KB
├─ 📝 SKILL.md Markdown 120L · 5.0 KB
└─ 🐍 trader.py Python 687L · 26.3 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk * pip (PyPI) No Version not pinned; published by Simmer Markets ([email protected])
tradejournal * optional skill dependency No Optional import with graceful fallback; not installed by default

Security Positives

✓ Dry-run mode is the default; --live flag is required for real trade execution
✓ Position size is capped at $5.00 per market with max 3 trades per run
✓ Comprehensive safeguard checks including slippage limits, liquidity thresholds, and time-to-resolution checks
✓ No base64-encoded payloads, eval(), or dynamic code execution observed
✓ No curl|bash or wget|sh remote script execution patterns
✓ No access to sensitive paths such as ~/.ssh, ~/.aws, or .env files
✓ No credential exfiltration or suspicious network behavior detected
✓ Network requests target only known Simmer API endpoints
✓ Clear and well-documented strategy with explicit risk parameters
✓ Automaton reporting with skip_reason fields prevents silent failures