Polymarket Macro Weekend Momentum Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading bot that defaults to paper trading and only places real trades when explicitly run in live mode.

Treat SIMMER_API_KEY as a sensitive trading credential. Run the skill in the default paper mode first, review the simmer-sdk dependency, and only use --live with account limits and funds you are willing to risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manifest explicitly requires a live API credential and describes an automated trading skill, but it provides no user-facing disclosure about credential use, trading authority, or the risks of autonomous order placement. In a financial trading context, this omission can cause users to grant sensitive credentials without understanding that the skill may execute real trades, increasing the chance of unauthorized or unexpected financial activity.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal