Scan Report
5 /100
polymarket-candle-gap-fill-trader
Trades gap-fill reversions on Polymarket 5-minute crypto interval markets using conviction-based sizing
A legitimate Polymarket gap-fill trading bot that operates safely in paper mode by default, uses a standard SDK dependency, and has no malicious patterns.
Safe to install
No action needed. Skill is safe for use with safe defaults (paper trading). Ensure SIMMER_API_KEY is kept secure when enabling live trading.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file read/write operations in trader.py |
| Network | READ | READ | ✓ Aligned | client.find_markets(), client.get_markets(), client.trade() at lines 215, 223, 2… |
| Shell | NONE | NONE | — | No subprocess/os.system calls in trader.py |
| Environment | READ | READ | ✓ Aligned | os.environ.get('SIMMER_*') throughout trader.py |
| Skill Invoke | NONE | NONE | — | No skill invocation patterns |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database operations |
File Tree
3 files · 21.4 KB · 537 lines Python 1f · 359L
Markdown 1f · 91L
JSON 1f · 87L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | * | pip | No | No version pinned; legitimate trading SDK by SpartanLabsXyz |
Security Positives
✓ Safe defaults: venue='sim' (paper trading) without --live flag
✓ No subprocess/shell execution - uses official simmer-sdk
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No base64 decoding or obfuscation
✓ No curl|bash or remote script execution
✓ All environment variable access is declared and documented
✓ Credential (SIMMER_API_KEY) is used only for SDK authentication, not exfiltrated
✓ No data exfiltration to external IPs beyond legitimate trading API calls