Security audit

Polymarket 48h Equity Strike Trader

Security checks across malware telemetry and agentic risk

Overview

This skill can place real Polymarket trades if intentionally run live, but it is disclosed, purpose-aligned, and defaults to paper trading.

Install only if you are comfortable giving this skill a Simmer/Polymarket trading key. Test in paper mode first, use live mode only deliberately, set conservative risk limits, and consider reviewing or pinning the `simmer-sdk` dependency before real-money use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manifest declares an API key requirement for an automated trading skill but does not provide any user-facing disclosure about credential handling, execution risk, or the fact that the skill can place trades using supplied credentials. In a trading context, this omission is material because users may authorize live market access without understanding financial risk, account exposure, or how broadly the credential will be used.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal