中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
polymarket-longshot-bias-trader
Exploits longshot bias in prediction markets — fades overpriced low-probability outcomes (buy NO at p≤10%) and backs underpriced near-certainties (buy YES at p≥88%).
Legitimate Polymarket trading bot exploiting longshot bias. Code is clean with no malicious patterns; minor doc mismatch on declared vs required permissions.
技能名称polymarket-longshot-bias-trader
分析耗时60.8s
引擎pi
可以安装
Consider updating allowed-tools to reflect that filesystem:WRITE (for running the Python script) and network:READ (for simmer-sdk API calls) are required.

安全发现 2 项

严重性 安全发现 位置
低危
Missing permission declarations in allowed-tools 文档欺骗
The allowed-tools field declares NONE for filesystem, network, and shell, but the skill's execution model inherently requires filesystem:WRITE (run Python script), network:READ (simmer-sdk API calls), and shell:WRITE. SKILL.md describes the SDK dependency and API usage, which partially covers the network requirement.
allowed-tools: filesystem→NONE, network→NONE, shell→NONE
→ Update allowed-tools to reflect: filesystem:WRITE, network:READ, shell:WRITE, environment:FULL
 clawhub.json:1
低危
Unversioned third-party dependency 供应链
simmer-sdk is declared as a pip dependency without a version pin. If the package is updated on PyPI, the installed version could change, potentially introducing malicious code or breaking changes.
simmer-sdk by Simmer Markets (SpartanLabsXyz)
→ Pin to a specific version, e.g., simmer-sdk==1.2.3
 SKILL.md:161
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✗ 越权 trader.py requires filesystem access to execute the Python script itself and rea…
网络访问 NONE READ ✗ 越权 simmer-sdk makes outbound API calls to Polymarket and Simmer APIs (client.find_m…
命令执行 NONE WRITE ✗ 越权 Running python trader.py via agent requires shell:WRITE — inherent to any Python…
环境变量 FULL FULL ✓ 一致 os.environ.get() used for SIMMER_API_KEY and all tunable parameters (lines 31-39…

目录结构

3 文件 · 24.7 KB · 589 行
Python 1f · 334L Markdown 1f · 176L JSON 1f · 79L
├─ 📋 clawhub.json JSON 79L · 1.7 KB
├─ 📝 SKILL.md Markdown 176L · 8.8 KB
└─ 🐍 trader.py Python 334L · 14.3 KB

依赖分析 1 项

包名版本来源已知漏洞备注
simmer-sdk * pip Version not pinned. SDK wraps Polymarket and Simmer API calls — required for market discovery and trade execution.

安全亮点

✓ No subprocess, shell, or os.system calls in the codebase — clean execution model
✓ No base64 encoding, obfuscation, or anti-analysis patterns detected
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files, credential stores)
✓ No environment variable enumeration for credential harvesting
✓ Paper trading is the safe default (venue=sim) — real trades require explicit --live flag
✓ No hidden HTML comments, injected instructions, or steganography
✓ No data exfiltration or C2 communication patterns
✓ Code is readable and straightforward — 334 lines of plain Python
✓ SIMMER_API_KEY is used only for SDK authentication, not transmitted elsewhere
✓ No cron/automaton autostart — skill requires explicit invocation (autostart: false)