Polymarket Candle Timeframe Mismatch Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading bot, but it can place real-money trades and describes its strategy with overly certain claims.

Install only if you intentionally want an automated Polymarket trading workflow. Keep it in paper mode first, treat SIMMER_API_KEY like financial account access, and do not rely on the strategy's certainty language as proof that live trades will converge or avoid losses.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The invocation scope is broad and strategy-oriented, with few concrete trigger boundaries beyond a manual `--live` flag. In an agent ecosystem, vague activation criteria can cause the skill to be selected in inappropriate contexts, leading to unintended market actions, overtrading, or misuse of trading credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal