Polymarket Catastrophe Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading skill that defaults to paper trading and only uses live trading when explicitly run with the live flag.

Install only if you intend to connect a Simmer/Polymarket trading workflow. Start in paper mode, avoid --live unless you explicitly want real trades, use the least-privileged key available, and keep conservative position limits because live mode can place real financial orders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The manifest requires a sensitive credential (`SIMMER_API_KEY`) but provides no visible disclosure in the skill metadata about why the key is needed, how it will be used, or what external service will receive it. In an automated trading skill, undisclosed credential use is more concerning because the key may authorize API actions tied to financial activity, making it harder for users to assess trust and risk before installation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal