Polymarket Twitter Weekend Drift Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed trading skill that defaults to paper trading and only uses live trading when explicitly enabled.

Install only if you understand it is a trading automation tool. Start in the default paper mode, review simmer-sdk before providing a live-capable key, use the least-privileged or lowest-funded SIMMER_API_KEY available, and only pass --live after verifying the strategy and risk tunables.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manifest requires a SIMMER_API_KEY for an external trading service but provides no visible warning in the manifest about credential use, transmission to third-party infrastructure, or the operational risks of connecting a live trading agent. In a finance/trading skill, silent credential requirements are more sensitive because users may expose funded accounts or authorize real market actions without clear notice.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal