Polymarket Music Entertainment Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed trading tool, but its real-money mode has safety limits that do not match the documentation, so it needs review before use.

Use this only after reviewing and setting the actual tunables yourself, especially SIMMER_MIN_DAYS, SIMMER_MIN_VOLUME, position limits, and thresholds. Keep it in paper mode first, use a limited-balance or scoped Simmer key if available, and do not enable --live or scheduling unless you are prepared for real USDC trades.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The manifest requires an external API credential (SIMMER_API_KEY) but provides no user-facing disclosure that the skill will access an external service using that secret. This creates a transparency and consent problem: users may enable the skill without understanding that credentials are required and that external network interaction will occur, increasing the risk of unintended secret exposure or unauthorized third-party access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal