Security audit

Polymarket Ladder F1 Championship Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paper-by-default Polymarket trading skill, with live trading gated behind an explicit flag and a sensitive Simmer API key.

Install only if you intend to run a trading bot. Treat SIMMER_API_KEY as a high-value credential, start in paper mode, review the max position and max open position tunables, and use --live only with funds you are prepared to risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The manifest requires an external API credential (SIMMER_API_KEY) but does not provide any user-facing disclosure about what external service will be contacted, how the key will be used, or what actions the skill may take with that credential. In a trading skill, this omission matters because users may unknowingly grant live market access and enable order placement against an external platform without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal