Polymarket Copytrading

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed copytrading bot, but the packaged automation runs live financial trades every 15 minutes without a separate consent gate.

Install only if you intentionally want unattended live Polymarket copytrading. Before enabling it, remove or change the managed --live automaton for dry runs, review the tracked wallets and market-import behavior, set strict Simmer spending limits, and use a restricted API key/account where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill explicitly requires an environment secret (`SIMMER_API_KEY`) and instructs the agent to make network calls to Polymarket and Simmer APIs, yet no permissions are declared. That mismatch weakens platform controls and user visibility into what the skill can access, which is especially sensitive here because the skill can initiate automated trading using API-backed account access.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill is described as mirroring whale wallets, but it can also call client.import_market(pm_url), which expands its authority by bringing new markets into Simmer automatically. That increases the blast radius from copying trades on already-known markets to creating access to additional externally referenced markets, based on untrusted API data, without a separate approval step.

Intent-Code Divergence

Medium

Confidence: 79% confidence
Finding: The comment says the Polymarket endpoints are for read-only market data, but the overall skill also performs live trading and can import markets. Misleading capability descriptions are dangerous in trading automation because operators may underestimate what the skill can actually do and enable it in higher-trust environments.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The description contains broad trigger phrases like 'follow smart money' and 'automate position copying on prediction markets,' which can match ordinary user requests and cause the skill to activate in contexts the user did not clearly intend. In a trading skill, accidental invocation is more dangerous than usual because activation can lead to monitoring wallets, handling API-backed trading context, or prompting the user toward live execution of financial actions.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The manifest is explicitly configured to run on a 15-minute cron schedule with a managed automaton entrypoint invoking the trading bot in live mode, which enables autonomous trading without any visible user-facing disclosure or consent mechanism in this file. In the context of a copytrading skill that mirrors whale wallets on prediction markets, this increases the risk of users unknowingly authorizing real-money market actions, leading to financial loss, regulatory exposure, or unintended repeated trades.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Passing --live is sufficient to enable real-money trading, with no secondary confirmation, acknowledgement of account/venue, or human approval before orders are submitted. In an automation context, a mistyped command, wrapper bug, or prompt/CLI injection can therefore immediately trigger irreversible financial actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal