Polymarket Bundle Btc 5min Streak Trader

Security checks across malware telemetry and agentic risk

Overview

This automated prediction-market trading skill is disclosed, but real-money live/cron trading with an API key is not tightly scoped.

Review this carefully before installing. Use dry-run first, provide only a least-privilege Simmer key if possible, and do not enable --live or cron mode until you have explicit caps for trade size, total daily spend, allowed markets, and a way to stop the bot quickly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The manifest requires a SIMMER_API_KEY for an automated trading skill, but the metadata shown to users contains no warning that credentials will be supplied to a third-party trading integration or that the skill will interact with external services on the user's behalf. In the context of an autotrading Polymarket strategy, that omission increases the risk of users authorizing sensitive API access without informed consent, which can lead to unintended trades, account misuse, or exposure of account-linked activity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal