Scan Report
5 /100
polymarket-ladder-f1-championship-trader
Trades distribution-sum violations in F1 championship winner markets on Polymarket
A legitimate Polymarket F1 championship trading bot with no malicious behavior, clear documentation, and safe defaults (paper trading mode).
Safe to install
No action needed. This is a safe, documented trading strategy that only accesses declared environment variables and uses a legitimate external SDK.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file operations in code |
| Network | READ | READ | ✓ Aligned | trader.py:168-177 Uses simmer-sdk for API calls, declared in SKILL.md |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell commands |
| Environment | READ | READ | ✓ Aligned | trader.py:69-76 Reads configuration env vars (SIMMER_MAX_POSITION, etc.) |
| Skill Invoke | NONE | NONE | — | Not used |
| Clipboard | NONE | NONE | — | Not used |
| Browser | NONE | NONE | — | Not used |
| Database | NONE | NONE | — | Not used |
File Tree
3 files · 23.9 KB · 602 lines Python 1f · 349L
Markdown 1f · 166L
JSON 1f · 87L
├─
clawhub.json
JSON
├─
SKILL.md
Markdown
└─
trader.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
simmer-sdk | * | pip | No | Version not pinned; declared external dependency from SpartanLabsXyz |
Security Positives
✓ Clean, readable code with no obfuscation or base64-encoded strings
✓ Safe defaults: paper trading (venue=sim) is the default mode, --live flag required for real trades
✓ All environment variable access is documented and declared in SKILL.md and clawhub.json
✓ External dependency is pinned to simmer-sdk from PyPI (SpartanLabsXyz) with declared source
✓ No file system access, no shell execution, no sensitive path access
✓ Credential (SIMMER_API_KEY) is only used for SimmerClient initialization, not exfiltrated
✓ Documentation accurately describes functionality with clear risk disclosures
✓ No network calls made directly—all API communication goes through official simmer-sdk
✓ Proper error handling throughout with safe_print() for encoding issues