Polymarket Macro Weather Commodity Trader

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed weather-based trading helper that defaults to paper trading and only uses live funds when explicitly run with the live flag.

Install only if you are comfortable giving this skill a Simmer trading credential. Keep it in paper mode unless you intentionally want live Polymarket trading, use small position limits, and prefer revocable or least-privilege credentials where available.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manifest explicitly requires an external API credential and describes an automated trader, but it does not provide any user-facing disclosure about outbound network activity, third-party data handling, or the fact that the skill can place trades. In a trading context, this omission is risky because users may enable the skill without understanding that it will connect to an external service and potentially execute market actions using their configured credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal