中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
polymarket-real-estate-trader
Trades Polymarket prediction markets on housing prices, mortgage rates, Fed rate decisions, real estate crash scenarios, and regional property market milestones using FOMC calendar timing and market type confidence signals.
A legitimate Polymarket trading skill that defaults to paper mode and uses a documented SDK without any malicious behavior.
技能名称polymarket-real-estate-trader
分析耗时31.1s
引擎pi
可以安装
No action needed. The skill is safe to use. Consider pinning the simmer-sdk dependency for reproducible builds.

安全发现 1 项

严重性 安全发现 位置
低危
simmer-sdk dependency not version-pinned 供应链
clawhub.json declares pip dependency as 'simmer-sdk' with no version constraint. This could lead to unexpected behavior if a breaking update is released.
"pip": ["simmer-sdk"]
→ Pin to a specific version or version range, e.g., "simmer-sdk>=1.0,<2.0"
 clawhub.json:4
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file read/write operations in trader.py
网络访问 NONE READ ✓ 一致 Indirect network access via SimmerClient (SDK) for market discovery and trading …
命令执行 NONE NONE No subprocess/os.system/os.popen calls found
环境变量 READ READ ✓ 一致 trader.py:22-30 — only reads SIMMER_* prefixed env vars
技能调用 NONE NONE No cross-skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access

目录结构

3 文件 · 17.5 KB · 435 行
Python 1f · 263L Markdown 1f · 104L JSON 1f · 68L
├─ 📋 clawhub.json JSON 68L · 1.1 KB
├─ 📝 SKILL.md Markdown 104L · 5.0 KB
└─ 🐍 trader.py Python 263L · 11.4 KB

依赖分析 1 项

包名版本来源已知漏洞备注
simmer-sdk * pip Version not pinned — only dependency

安全亮点

✓ Paper trading is the safe default (venue='sim'), real trades require explicit --live flag
✓ No shell execution (subprocess, os.system, os.popen) — all logic is pure Python
✓ No credential exfiltration — SIMMER_API_KEY is used only for SimmerClient authentication
✓ All environment variable access is scoped to SIMMER_* prefixed tunables
✓ No base64 encoding, obfuscation, or anti-analysis techniques
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Clear documentation matches implementation — no doc-to-code mismatch
✓ Safety guard: get_client() enforces venue='sim' unless live=True is explicitly passed
✓ Skill has no autostart and no cron configured — nothing runs automatically