polymarket-macro-calendar-catalyst-trader 安全扫描报告 — 可信 | ClawSafe

5 /100

polymarket-macro-calendar-catalyst-trader

Trades Polymarket prediction markets that resolve near known calendar catalyst events (FOMC, sports, geopolitics, crypto, space launches)

A legitimate Polymarket trading bot that uses the simmer-sdk to trade prediction markets near calendar catalyst events, with no malicious behavior detected.

技能名称polymarket-macro-calendar-catalyst-trader

分析耗时30.4s

引擎pi

✓

可以安装

This skill is safe to use. The SIMMER_API_KEY credential is required and documented, and all trading is paper-only by default.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned simmer-sdk dependency 供应链 The simmer-sdk dependency is not version-pinned, allowing any version to be installed. This creates a supply chain risk if a malicious version is published to PyPI. `"pip": ["simmer-sdk"]` → Pin to a specific version, e.g., "simmer-sdk>=1.0.0,<2.0.0", to prevent silent upgrades.	`clawhub.json`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in code
网络访问	`NONE`	`READ`	✓ 一致	SDK calls to Polymarket/Simmer APIs only; no direct network from skill
命令执行	`NONE`	`NONE`	—	No subprocess or shell invocation
环境变量	`READ`	`READ`	✓ 一致	SKILL.md §Required Credentials declares SIMMER_API_KEY and tunables; code reads …
技能调用	`NONE`	`NONE`	—	No inter-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

目录结构

3 文件 · 27.4 KB · 653 行

Python 1f · 454L Markdown 1f · 108L JSON 1f · 91L

├─ 📋 clawhub.json JSON 91L · 1.9 KB

├─ 📝 SKILL.md Markdown 108L · 6.6 KB

└─ 🐍 trader.py Python 454L · 18.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`simmer-sdk`	`*`	pip	否	Version not pinned in clawhub.json

安全亮点

✓ Paper trading is the safe default; --live flag required for real trades

✓ No shell execution, subprocess, or command injection vectors

✓ No obfuscation (base64, eval, atob) anywhere in the codebase

✓ No sensitive file access (no ~/.ssh, ~/.aws, .env reads)

✓ No credential exfiltration — SIMMER_API_KEY is only used for SDK authentication

✓ No data exfiltration or C2 communication patterns

✓ Full documentation coverage: strategy, credentials, tunables, and safeguards all declared in SKILL.md

✓ clawhub.json is complete and accurate with all tunables declared

✓ Environment variable access is documented and limited to declared credential/tunable names