Security audit

Polymarket Micro Pulse Revert Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading skill that defaults to paper trading and only places real trades when deliberately run in live mode.

Install only if you trust Simmer, simmer-sdk, and the publisher with trading authority. Keep the default paper mode until you have reviewed behavior and limits; use --live only when you intentionally want real Polymarket orders, and protect SIMMER_API_KEY like a financial credential.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script can place real-money trades whenever the --live flag is supplied, but there is no secondary confirmation, interactive prompt, or out-of-band safeguard before enabling the live venue. In an agent or automated execution context, this makes accidental invocation materially dangerous because a misconfigured wrapper, copied command, or prompt injection into surrounding orchestration could trigger irreversible live trades.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal