Polymarket Whale Contrarian Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed prediction-market trading skill that defaults to paper trading, with real-money trading gated by an explicit live flag.

Install only if you want an agent to analyze prediction-market data and potentially place trades. Keep SIMMER_API_KEY protected, run in paper mode first, and enable `--live` only with low position limits and clear human oversight.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documentation indicates use of environment variables and outbound network access (`SIMMER_API_KEY`, Polymarket leaderboard/data APIs, and `simmer-sdk`) but does not declare corresponding permissions. Undeclared capabilities are dangerous because they bypass least-privilege review and can conceal access to secrets or external endpoints that an operator did not knowingly authorize.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal