中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:1 day ago Rescan
15 /100
polymarket-longshot-bias-trader
Exploits longshot bias in prediction markets — fades overpriced low-probability outcomes (buy NO at p≤10%) and backs underpriced near-certainties (buy YES at p≥88%).
Legitimate Polymarket trading bot exploiting longshot bias. Code is clean with no malicious patterns; minor doc mismatch on declared vs required permissions.
Skill Namepolymarket-longshot-bias-trader
Duration60.8s
Enginepi
Safe to install
Consider updating allowed-tools to reflect that filesystem:WRITE (for running the Python script) and network:READ (for simmer-sdk API calls) are required.

Findings 2 items

Severity Finding Location
Low
Missing permission declarations in allowed-tools Doc Mismatch
The allowed-tools field declares NONE for filesystem, network, and shell, but the skill's execution model inherently requires filesystem:WRITE (run Python script), network:READ (simmer-sdk API calls), and shell:WRITE. SKILL.md describes the SDK dependency and API usage, which partially covers the network requirement.
allowed-tools: filesystem→NONE, network→NONE, shell→NONE
→ Update allowed-tools to reflect: filesystem:WRITE, network:READ, shell:WRITE, environment:FULL
 clawhub.json:1
Low
Unversioned third-party dependency Supply Chain
simmer-sdk is declared as a pip dependency without a version pin. If the package is updated on PyPI, the installed version could change, potentially introducing malicious code or breaking changes.
simmer-sdk by Simmer Markets (SpartanLabsXyz)
→ Pin to a specific version, e.g., simmer-sdk==1.2.3
 SKILL.md:161
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✗ Violation trader.py requires filesystem access to execute the Python script itself and rea…
Network NONE READ ✗ Violation simmer-sdk makes outbound API calls to Polymarket and Simmer APIs (client.find_m…
Shell NONE WRITE ✗ Violation Running python trader.py via agent requires shell:WRITE — inherent to any Python…
Environment FULL FULL ✓ Aligned os.environ.get() used for SIMMER_API_KEY and all tunable parameters (lines 31-39…

File Tree

3 files · 24.7 KB · 589 lines
Python 1f · 334L Markdown 1f · 176L JSON 1f · 79L
├─ 📋 clawhub.json JSON 79L · 1.7 KB
├─ 📝 SKILL.md Markdown 176L · 8.8 KB
└─ 🐍 trader.py Python 334L · 14.3 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
simmer-sdk * pip No Version not pinned. SDK wraps Polymarket and Simmer API calls — required for market discovery and trade execution.

Security Positives

✓ No subprocess, shell, or os.system calls in the codebase — clean execution model
✓ No base64 encoding, obfuscation, or anti-analysis patterns detected
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files, credential stores)
✓ No environment variable enumeration for credential harvesting
✓ Paper trading is the safe default (venue=sim) — real trades require explicit --live flag
✓ No hidden HTML comments, injected instructions, or steganography
✓ No data exfiltration or C2 communication patterns
✓ Code is readable and straightforward — 334 lines of plain Python
✓ SIMMER_API_KEY is used only for SDK authentication, not transmitted elsewhere
✓ No cron/automaton autostart — skill requires explicit invocation (autostart: false)