Polymarket 24h Price Curve Arb Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading automation skill that defaults to paper trading, but users should treat its API key and live mode as real-money financial access.

Install only if you intend to run a trading bot. Use paper mode first, provide a restricted low-balance API key, review the simmer-sdk dependency, and verify the actual tunables in the UI, especially SIMMER_MIN_VIOLATION, before enabling live trading.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest explicitly requires a trading API credential and defines an automated trader entrypoint, but it does not provide any user-facing warning about credential access, automated order placement, or the financial risk of running the skill. In this context, the omission is security-relevant because users may grant sensitive credentials to a bot that can autonomously trade, creating risk of unintended fund exposure or misuse even if the code is not overtly malicious.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal