Polymarket 48h Equity Strike Trader

Security checks across malware telemetry and agentic risk

Overview

This skill can place real Polymarket trades if intentionally run live, but it is disclosed, purpose-aligned, and defaults to paper trading.

Install only if you are comfortable giving this skill a Simmer/Polymarket trading key. Test in paper mode first, use live mode only deliberately, set conservative risk limits, and consider reviewing or pinning the `simmer-sdk` dependency before real-money use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manifest declares an API key requirement for an automated trading skill but does not provide any user-facing disclosure about credential handling, execution risk, or the fact that the skill can place trades using supplied credentials. In a trading context, this omission is material because users may authorize live market access without understanding financial risk, account exposure, or how broadly the credential will be used.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal