Polymarket Brain

Security checks across malware telemetry and agentic risk

Overview

This skill’s Discord-posting workflow is disclosed, but it embeds live-looking webhook credentials, posts externally without a strong user-controlled destination boundary, and persists workflow/webhook state across restarts.

Review before installing. Remove and rotate the embedded Discord webhooks, configure your own webhook through a secret or environment variable, verify whether market odds are live or hardcoded, avoid copying the entire skills directory, and disable or clean up memory/snapshot persistence if you do not want this workflow and its posting configuration retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (53)

Tainted flow: 'cmd' from os.environ.get (line 244, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: cmd = [sys.executable, str(script)] try: result = subprocess.run(cmd, capture_output=True, text=True, timeout=120, env=env) if result.returncode == 0: print("✅ Polymarket analyst completed") return parse_polymarket_output(result.stdout)
Confidence: 78% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True, timeout=120, env=env)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: This document presents a strong assurance that knowledge will persist across restarts, but the file itself is only declarative text and provides no technical enforcement or validation. Users or operators could rely on the guarantee and skip proper backup or verification, leading to data loss or misplaced trust in the skill's resilience.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The section claims that multiple safeguards are implemented, but this file only lists alleged locations and recovery procedures without proving they exist or are active. In a security-sensitive context, unverifiable claims about backups and persistence mechanisms can mislead users into trusting nonexistent protections.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The promise that no knowledge will be lost due to normal restart is an absolute reliability guarantee that this document cannot enforce and that real systems cannot safely guarantee without rigorous fault-tolerant design. This is more dangerous in skill context because it encourages operational reliance on persistence for workflows, backups, and recovery decisions, increasing the chance of silent data loss or failed restoration.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The file makes a strong guarantee that the orchestration 'will NOT be forgotten after restart' based only on the presence of files, snapshots, and verification scripts. That assurance is misleading because none of the described mechanisms can guarantee persistence under all conditions, and users may rely on this claim for continuity of operation or sensitive configuration retention.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The statement '100% - Will survive restart' is an unverifiable and overbroad persistence claim that is not supported by the document's evidence. In this skill context, the danger is increased because the document references persisted operational data such as core memory, snapshots, and a Discord webhook configuration, so overtrust could lead users to mishandle recovery, integrity, or secret-management assumptions.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The documentation exposes concrete Discord webhook URLs and instructs operators to place webhook secrets directly into files. Discord webhooks are bearer secrets; anyone who obtains them can post arbitrary content to the associated channels, impersonate the workflow, spam recipients, or exfiltrate data routed through the skill. The contradiction with the later guidance to never commit webhooks increases confidence this is an unsafe secret-handling practice rather than harmless example text.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The document gives inconsistent guidance about history clearing: one section says history should only be cleared manually for testing, while another says TEST mode clears history automatically. This can cause operators to misunderstand data-retention behavior and accidentally erase state or rerun previously suppressed items, affecting auditability and operational safety.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The finding indicates a provenance/integrity failure: a geopolitics analysis about war and oil shocks is attached to a source article about AI data-center labor demand. This mismatch can cause downstream consumers to trust unsupported conclusions, and in an analytics or trading pipeline that can propagate materially false narratives and decisions under the guise of sourced analysis.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The script contains a hard-coded Discord webhook URL, which is effectively a secret that grants outbound posting access to an external Discord channel. Anyone with access to the file can reuse or abuse the webhook for unauthorized posting, spam, or covert data exfiltration, and the skill context does not require embedding such a credential directly in source code.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The script reads any line in a local markdown file containing a Discord webhook URL and uses it as an outbound destination for analyst and trading content. This creates a data exfiltration path with weak secret handling because a webhook embedded in documentation/config text can be accidentally exposed, substituted, or reused without validation or explicit user approval.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The script contains a hardcoded Discord webhook URL, which is effectively a secret credential that enables outbound data transmission to an external third-party endpoint. Anyone with access to the file can reuse the webhook to exfiltrate data, spam the channel, or impersonate this automation, and the skill provides no consent, environment-based configuration, or destination validation.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script performs outbound POST requests to hard-coded Discord webhooks, which creates an unauthorized external messaging channel. Even though the payloads are only test strings here, embedded webhook endpoints can be abused by anyone with access to the code to exfiltrate data, send spam, or interact with external infrastructure outside expected skill behavior.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The comments claim the script relates to CNBC fetching and Polymarket analysis, but the actual functionality is only to send test messages to Discord webhooks. This mismatch obscures the true behavior of the file, making review harder and increasing the risk that external communications are overlooked or intentionally disguised.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The code comment claims this is a 'CNBC fetcher', but the implementation only posts to a Discord webhook. This mismatch is dangerous because misleading labeling can disguise outbound network behavior, reducing reviewer scrutiny and making covert exfiltration or unauthorized signaling harder to detect.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The phrase 'Ask: "Load polymarket-brain skill"' is a broad natural-language trigger that could cause unintended activation in systems that map assistant prompts to skill execution. In a skill package that also advertises automatic execution and persistence, this lowers the bar for accidental or socially engineered invocation.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The manifest hard-codes a Discord webhook and describes automatic posting of fetched news articles to that external endpoint without any user-facing disclosure or consent boundary. This creates an exfiltration path for content processed by the skill and exposes a sensitive credential-like webhook URL that could be abused for unauthorized posting if the file is shared.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: This step explicitly sends generated market analysis to Discord, again without any warning that model outputs and potentially sensitive derived insights are being transmitted to a third party. In the context of a trading-analysis workflow, external sharing is more dangerous because it can leak proprietary analysis, trigger unintended dissemination, and reveal webhook credentials embedded in the configuration.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The reset command indicates a workflow action that likely clears or rewrites history files used to prevent duplicate processing, but the manifest provides no warning that this may be destructive. While not as severe as data exfiltration, undisclosed reset behavior can cause loss of audit/history state and lead to reprocessing or reposting previously handled items.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The file documents a Discord webhook and explicitly describes workflow phases that send data externally, but it provides no user warning, consent flow, or handling guidance for outbound transmission. Exposing or normalizing use of a live webhook can enable unintended data exfiltration, misuse of the webhook endpoint, and leakage of potentially sensitive analysis outputs to a third-party service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The checklist instructs the user to truncate `sent_urls.txt` with `type nul > ...`, which irreversibly clears state used to prevent duplicate posts. Because the step is presented as part of the recommended test flow without an explicit warning about side effects, a user may run it in the wrong environment and cause duplicate notifications, loss of audit/history data, or disruption of normal production behavior.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README explicitly instructs users to run a workflow that automatically posts fetched news and generated analysis to Discord webhooks, and also documents a TEST mode that clears URL history to force reposting. Even though this is documentation rather than executable code, it normalizes external data transmission and state-changing behavior without a prominent warning, confirmation step, or discussion of operational/security consequences, which increases the chance of unintended data disclosure, spam, or duplicate posting.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill is designed to automatically transmit fetched news and generated analysis to Discord, but the documentation does not prominently frame this as external data egress or obtain explicit operator acknowledgement. In this context, automated outbound posting can leak sensitive workflow outputs, internal reasoning, URLs, or market analysis to a third-party service, especially if reused in environments with non-public inputs.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The setup steps tell users to configure webhook endpoints in local files without prominently warning that doing so activates automatic external posting. This can lead operators to unknowingly enable persistent exfiltration of article content and analysis to Discord, which is more dangerous because the workflow is automated and intended for repeated execution.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The troubleshooting guide includes commands that send live POST requests to Discord webhooks without warning that they will publish messages to real channels. This creates a concrete risk of accidental external transmission, noisy production side effects, and misuse of live integrations during debugging.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal