Polymarket Valuation Divergence

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading automation skill that only places real trades when the user explicitly runs live mode.

Install only if you intend to connect a Simmer/Polymarket trading account. Start with dry runs, review `max_position_usd`, `max_trades_per_run`, and edge settings, and avoid unattended `--live --quiet` use unless you have monitoring and loss controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The quick-start flow presents `--live` as a normal next step without a prominent warning that it can place real-money trades and that positions may remain open until market resolution. In a trading skill, this omission materially increases the chance of accidental financial loss from user misunderstanding.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Running with --live causes the script to place real trades immediately once signals pass thresholds, with no interactive confirmation, dry-run diff, or secondary approval. In a trading skill, this increases the chance of accidental financial loss from operator error, misconfiguration, bad model output, or unintended automation triggers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal