Polymarket 24h Cross Asset Sync Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading skill that defaults to simulation and only places real-money trades when explicitly run in live mode.

Install only if you intend to let an agent analyze and potentially trade Polymarket crypto markets. Start in paper mode, use a dedicated least-privilege SIMMER_API_KEY if available, keep conservative limits, and run with --live only when you intentionally accept autonomous real-money USDC trades. Note that SIMMER_MIN_VOLUME is declared as a tunable, but the reviewed code does not appear to enforce a volume check.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill explicitly requires a high-value credential (`SIMMER_API_KEY`) and describes trading execution, yet the metadata shown in the file does not declare corresponding permissions. That mismatch can cause users or hosting systems to underestimate the skill's ability to access sensitive environment data and place trades, reducing transparency and weakening least-privilege controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal