Polymarket 24h Sports Line Curve Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paper-by-default Polymarket trading skill that can place real trades only when explicitly run with the live flag.

Use paper mode first. Only run with --live if you are prepared for real Polymarket trades using USDC, and prefer a dedicated low-balance or least-privilege SIMMER_API_KEY. Review or pin simmer-sdk before live use because it handles the trading integration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The manifest explicitly requires a sensitive API credential and identifies the skill as a managed trading automaton, but it provides no user-facing disclosure about outbound network access, automated trading behavior, or the risks of granting the credential. In an agent ecosystem, this can mislead users into authorizing a bot with market access without informed consent, increasing the chance of unintended trades or misuse of the API key.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal