Polymarket Sports Live Trader

Security checks across malware telemetry and agentic risk

Overview

This skill is openly about automated prediction-market trading, but its live-trading authority and API-key use are under-scoped for real-money use.

Install only if you intentionally want an automated Polymarket trading template. Keep it in dry-run until you have reviewed the code and configured strict position size, daily spend, market filters, and kill-switch rules. Protect the Simmer API key like a financial credential, and do not run live quiet/cron mode unless you are comfortable with unattended real-money trades and local legal restrictions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation indicates access to environment-based credentials such as `SIMMER_API_KEY`, yet no explicit permissions are declared. In a trading skill, undeclared credential access is dangerous because it can enable real-money actions or secret exfiltration without clear consent boundaries, especially when the same document also advertises a `--live` mode.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The manifest describes a sports-data-driven trading skill, but the documented behavior includes live Polymarket trading, paper trading, broad keyword market discovery, and heuristic biasing that are not accurately represented. This mismatch undermines informed consent and review, and in the context of financial trading can cause operators to enable a skill with riskier behavior and broader capabilities than expected.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill claims to use league tables, injury reports, and Elo signals, but the file describes a no-API template using keyword and calendar heuristics instead. In a financial decision-making context, this is dangerous because users may overtrust the quality and provenance of the strategy inputs, leading to unjustified live trading decisions based on far weaker logic than advertised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal