Polymarket 48h Sports Line Curve Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed, paper-by-default Polymarket trading skill that needs a sensitive Simmer API key and can place real trades only when live mode is explicitly used.

Install only if you are comfortable giving this skill a Simmer trading API key. Use paper mode first, keep position and trade-size tunables conservative, and review or pin the simmer-sdk dependency before enabling live trades with real USDC.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The manifest declares a required API credential (`SIMMER_API_KEY`) but provides no user-facing explanation of what service it authenticates to, how it will be used, or how sensitive it is. While this file alone does not show credential exfiltration, requiring a secret without transparency increases the risk of users supplying privileged credentials to unvetted code and reduces informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal