Security audit

Polymarket Longshot Bias Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed prediction-market trading skill that defaults to paper trading and only makes live trades when explicitly run with the live flag.

Install only if you are comfortable giving this skill a Simmer trading API key. Start in paper mode, keep position limits low, review the broad market scope, and enable --live only if you accept the risk of real financial loss.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The manifest declares a required API credential (SIMMER_API_KEY) but provides no user-facing disclosure about what the credential is used for, what operations the skill will perform with it, or whether it can place trades or access account data. In a trading-related skill, silent credential use increases the risk of users granting high-value account access without informed consent, which can lead to unauthorized trading activity or exposure of sensitive account information if the entrypoint behaves unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal