Back to skill

Security audit

Polymarket API

Security checks across malware telemetry and agentic risk

Overview

This skill is a read-only Polymarket lookup helper that contacts a disclosed public API and shows no evidence of hidden access, persistence, credential use, or destructive behavior.

Install this if you want an agent to fetch public Polymarket market and event data. Expect network requests to Polymarket when it runs, avoid putting private information into search terms, and consider narrowing the trigger wording or adding explicit network permission metadata if your environment requires strict governance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly directs execution of a Python script that makes outbound network requests to Polymarket's public API, yet no permissions are declared. Undeclared network capability weakens review and enforcement controls, making it easier for a skill to access external services without transparent user or platform awareness.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation text is broad enough that the skill may trigger for generic 'market prices' or 'event probabilities' questions that are not necessarily about Polymarket. Over-broad routing can cause unintended invocation of a networked skill, leading to unnecessary external data access, user confusion, and a larger attack surface if the skill or downstream API is compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.