Security audit

Polymarket Macro Calendar Catalyst Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading skill that defaults to paper trading and only places real trades when explicitly run in live mode.

Install only if you are comfortable giving the skill SIMMER_API_KEY trading authority. Start in paper mode, review the strategy assumptions and position limits, and use --live only if you accept the risk of real USDC losses from automated trades based on static heuristics.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: The skill hard-codes broad directional priors such as 'Geopolitical NO' and 'Crypto YES' as default trading guidance, which can push users into biased or context-inappropriate financial decisions without consent, validation, or market-specific evidence. In a live trading context, this is dangerous because users may execute real-money trades based on overgeneralized heuristics presented as strategy defaults rather than optional, qualified inputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal