Liberfi Predict

Security checks across malware telemetry and agentic risk

Overview

This is a real prediction-market trading skill, but it asks for automatic installation, login, wallet setup, account lookup, and server-side signing authority that users should review before trusting.

Install only if you trust LiberFi and its CLI with prediction-market account access, server-managed wallet signing, Safe setup, token approvals, deposit-address generation, and order placement/cancellation. Require explicit approval before CLI installation, login, account lookup, wallet setup, deposits, approvals, or trades, and keep limited funds in wallets used with this skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The operational sections present legacy external-signing Kalshi and Polymarket flows as the concrete step-by-step procedures, even though the skill elsewhere marks the TEE auto-flow as the recommended and safer path. This inconsistency can cause the agent to choose deprecated flows that require sensitive credentials or user-managed signing, increasing the chance of misuse, credential handling mistakes, or unsafe execution paths.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The cross-skill example for checking a user's own prediction portfolio tells the agent to use user-supplied addresses, which directly contradicts the mandatory auto-resolution flow described elsewhere. In practice this can lead to account mix-ups, incorrect data retrieval, privacy issues, and failure to use the intended server-managed identity flow for first-person account queries.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes broad, ordinary terms like 'events', 'event', 'outcome', and generic betting/probability phrases that may appear in many unrelated conversations. Over-broad activation can route users into a trading-capable skill unexpectedly, increasing the risk of privacy-invasive account lookups or preparation for financial actions in the wrong context.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: The flow hard-codes Chinese-language user messaging for a funding prompt instead of adapting to the user's language or asking preference. In a financial trading context, forcing a specific language can cause users to misunderstand deposit instructions, addresses, supported chains, or minimum amounts, which can lead to misdirected funds or mistaken consent.

Ssd 3

High

Confidence: 98% confidence
Finding: This section explicitly instructs the agent to authenticate, resolve the user's server-managed wallet addresses, and query balances, positions, or trades without asking the user for identifying information or confirming access. That creates a privacy and authorization risk: an automatically invoked skill could retrieve sensitive financial account data based solely on conversational phrasing, without explicit consent at the moment of access.

Ssd 3

High

Confidence: 99% confidence
Finding: The 'My ...' auto-flow operationalizes silent identity resolution and consolidation of balances, trades, and PnL while explicitly telling the agent not to ask the user for their wallet address and not to expose it unless requested. In context, this is more dangerous because the skill handles real-money prediction-market accounts; hidden account resolution lowers transparency and can expose sensitive financial data without clear, informed user authorization.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal