polymarket-real-estate-trader Security Report — Trusted | ClawSafe

5 /100

polymarket-real-estate-trader

Trades Polymarket prediction markets on housing prices, mortgage rates, Fed rate decisions, real estate crash scenarios, and regional property market milestones using FOMC calendar timing and market type confidence signals.

A legitimate Polymarket trading skill that defaults to paper mode and uses a documented SDK without any malicious behavior.

Skill Namepolymarket-real-estate-trader

Duration31.1s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use. Consider pinning the simmer-sdk dependency for reproducible builds.

Findings 1 items

Severity	Finding	Location
Low	simmer-sdk dependency not version-pinned Supply Chain clawhub.json declares pip dependency as 'simmer-sdk' with no version constraint. This could lead to unexpected behavior if a breaking update is released. `"pip": ["simmer-sdk"]` → Pin to a specific version or version range, e.g., "simmer-sdk>=1.0,<2.0"	`clawhub.json:4`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file read/write operations in trader.py
Network	`NONE`	`READ`	✓ Aligned	Indirect network access via SimmerClient (SDK) for market discovery and trading …
Shell	`NONE`	`NONE`	—	No subprocess/os.system/os.popen calls found
Environment	`READ`	`READ`	✓ Aligned	trader.py:22-30 — only reads SIMMER_* prefixed env vars
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

File Tree

3 files · 17.5 KB · 435 lines

Python 1f · 263L Markdown 1f · 104L JSON 1f · 68L

├─ 📋 clawhub.json JSON 68L · 1.1 KB

├─ 📝 SKILL.md Markdown 104L · 5.0 KB

└─ 🐍 trader.py Python 263L · 11.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`simmer-sdk`	`*`	pip	No	Version not pinned — only dependency

Security Positives

✓ Paper trading is the safe default (venue='sim'), real trades require explicit --live flag

✓ No shell execution (subprocess, os.system, os.popen) — all logic is pure Python

✓ No credential exfiltration — SIMMER_API_KEY is used only for SimmerClient authentication

✓ All environment variable access is scoped to SIMMER_* prefixed tunables

✓ No base64 encoding, obfuscation, or anti-analysis techniques

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Clear documentation matches implementation — no doc-to-code mismatch

✓ Safety guard: get_client() enforces venue='sim' unless live=True is explicitly passed

✓ Skill has no autostart and no cron configured — nothing runs automatically

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives