Polymarket Micro Coin Lag Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed automated trading skill that uses a Simmer API key, defaults to paper trading, and requires an explicit live flag for real trades.

Install only if you are comfortable with automated trading through Simmer/Polymarket. Start in paper mode, review the simmer-sdk dependency, use the least-privileged or disposable API key available, and enable --live only when you understand the position limits and real USDC loss risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manifest explicitly requires a SIMMER_API_KEY and configures an automated trading entrypoint, but it provides no user-facing disclosure that the skill will access credentials and perform external API-backed trading activity. In a trading skill, this omission is security-relevant because users may grant sensitive credentials without understanding they will be used for live market interaction, increasing the risk of unintended account access, trades, or financial loss.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal