Polymarket Macro Event Cascade Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed automated crypto-trading skill, so the financial risk is real but aligned with its stated purpose and documented controls.

Install only if you intend to let an agent assist with trading. Use paper mode first, provide exchange keys with trading permissions only, never enable withdrawals, verify risk limits, and require explicit approval before any live strategy or order.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manifest requires an API credential and defines an automated trading entrypoint, but it provides no user-facing warning that the skill can place trades using supplied credentials. In this context, users may grant a live trading key without understanding the automation scope, creating a meaningful risk of unauthorized or unexpected financial activity rather than a purely informational omission.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal