Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Security audit
Security checks across malware telemetry and agentic risk
This skill appears to do what it says: stream live Polymarket trade data through Bitquery, with the main caution being careful handling of the required Bitquery API key.
Install only if you want a live Polymarket trade stream and are comfortable supplying a Bitquery API key. Run it in an isolated Python environment, avoid logging WebSocket URLs, and rotate the Bitquery key if you suspect the connection URL was exposed.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Question: Ethereum Up or Down - March 10, 9:15AM-9:30AM ET MarketId: 1537455 | Outcome: Down (Index 1) Resolution: https://data.chain.link/streams/eth-usd ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ OutcomeTrade Side: BUY outcome (IsOutcomeBuy: true)
from gql.transport.websockets import WebsocketsTransport
async def main():
token = os.environ["BITQUERY_API_KEY"]
url = f"wss://streaming.bitquery.io/graphql?token={token}"
transport = WebsocketsTransport(
url=url,65/65 vendors flagged this skill as clean.
No suspicious patterns detected.