Polymarket Candle Gap Fill Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paper-by-default Polymarket trading skill, with real-money trading only when the user explicitly enables live mode.

Install only if you intend to evaluate this trading strategy. Keep it in paper mode first, protect and scope the SIMMER_API_KEY, review simmer-sdk, and use --live only with position limits you are willing to risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The manifest declares a required API credential (`SIMMER_API_KEY`) but does not provide any user-facing disclosure about external service usage, credential access, or what the key will be used for. In an automated trading skill, this matters because the skill can interact with third-party infrastructure and place trades, so users should be explicitly warned before supplying sensitive credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal