Security audit

Polymarket Geopolitics Deadline Cascade Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading skill that defaults to paper trading and only places real trades when deliberately run with the live flag.

Use paper mode first. Only run with --live when you intentionally want real USDC exposure, use a revocable least-privilege SIMMER_API_KEY, keep conservative position limits, and review the unpinned simmer-sdk dependency before funding live use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script can place real trades immediately when invoked with --live, with no second-factor confirmation, dry-run preview, or interactive acknowledgement. In a financial trading skill, this increases the chance of accidental capital deployment from operator error, automation misconfiguration, or unintended invocation, especially because the code is explicitly designed to submit live orders to Polymarket.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal