Polymarket Bundle Dota2 Bo3 Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading skill that defaults to paper trading and only makes real trades when explicitly run with a live flag.

Install only if you intend to let this skill use a Simmer trading API key. Start in paper mode, keep limits conservative, review the simmer-sdk dependency, and use --live only when you deliberately accept real USDC trading risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The manifest declares an external API credential requirement (SIMMER_API_KEY) but provides no user-facing disclosure that the skill will access an outside service or use supplied credentials. In a trading skill, silent external connectivity increases risk because users may unknowingly grant network access and credential use to automation tied to financial activity.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The manifest exposes numerous trading controls such as position size, thresholds, and open-position limits without any explicit warning that the skill may place financially consequential trades. Given the skill description is an automated Polymarket trader, lack of risk disclosure can cause users to enable or tune live trading behavior without understanding capital exposure, loss potential, or automation side effects.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal