Security audit

Polymarket Bundle Cs2 Maps Trader

Security checks across malware telemetry and agentic risk

Overview

This is a transparent paper-by-default trading skill, but live mode can spend real funds and some advertised risk limits are not actually enforced in the code.

Review carefully before installing for live use. Run in paper mode first, use a dedicated low-balance or least-privilege trading key if available, and do not rely on the documented minimum-volume or concurrent-open-position limits unless the code is fixed or separately enforced.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest requests a sensitive API credential (`SIMMER_API_KEY`) and configures an automated trading entrypoint, but it does not disclose to users that the skill can place market trades using their account or explain the risks of granting live trading access. In a trading skill, lack of explicit warning and consent is security-relevant because users may provide credentials without understanding that the agent can autonomously execute financial actions and incur losses.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal