Back to skill

Security audit

Polymarket Screener

Security checks across malware telemetry and agentic risk

Overview

This package mostly reads public Polymarket data, but it is incoherent and includes an unrelated content-writing script that silently logs user inputs locally.

Review the scripts before installing or running. Use only scripts/polymarket.sh if you want the Polymarket API reader, avoid entering sensitive strategy notes into the unrelated content helper, and expect local files under ~/.polymarket-screener and an XDG data directory. I found no evidence of credential theft, automated betting, external upload of local files, or destructive behavior, but the package should be fixed before normal use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script logs raw user-supplied arguments to a local history file without informing the user or obtaining consent. Even though this is only local persistence, users may pass sensitive market research, draft content, internal notes, or other confidential data that then remains on disk and could be exposed to other local users, backups, or later compromise.

VirusTotal

44/44 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.