Polymarket预测监控

Security checks across malware telemetry and agentic risk

Overview

This Polymarket monitoring skill is mostly aligned with its stated purpose, but its payment flow is unsafe and could charge users through unclear billing boundaries.

Review carefully before installing. Do not use this with real payments unless the hardcoded SkillPay key is removed, billing requires explicit user confirmation after command validation, and the billing identity is tied to a stable authenticated account. Treat all AI betting recommendations as informational only and avoid entering confidential trading ideas into the analysis command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares that it requires environment variables and, by its documented behavior, makes external network calls, but it does not clearly declare or constrain those capabilities as permissions. This creates a transparency and review gap: users or orchestrators may invoke a skill that can access secrets and external services without explicit permission signaling, increasing the risk of unintended data exposure or unauthorized outbound actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented as a market-monitoring and analysis tool, but the documentation indicates it also performs billing actions through an external SkillPay service, including charging per invocation and generating payment links when funds are low. That is a materially different and more sensitive behavior than passive analysis, because it can trigger financial transactions or payment workflows users may not expect from the stated purpose.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The file contains a hardcoded live-looking payment API key and uses it to perform billing actions against an external service. Embedding secrets in shipped code is dangerous because anyone with code access can reuse the credential to charge users, create payment links, or abuse the billing account; in a market-monitoring skill, this billing capability is ancillary and increases risk rather than being core to the stated functionality.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The code comment suggests charging is skipped only in development mode, but outside that mode it silently falls back to a real embedded API key if no environment variable is set. This creates an unsafe default: deployments that forget to configure secrets will still perform real billing with the exposed credential, making accidental unauthorized charging and secret leakage more likely.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The skill description is broad enough that it could be auto-selected for general market-analysis or prediction requests, even though it performs paid external calls and potentially betting-oriented recommendations. Over-broad activation increases the chance of accidental invocation, unnecessary charges, and use in contexts where the user did not intend to access a paid or gambling-adjacent tool.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation explicitly promotes identifying 'value betting' opportunities and making BUY YES/BUY NO recommendations without any warning about financial risk, uncertainty, or jurisdictional restrictions. In context, this makes the skill more dangerous because it is not merely informational; it nudges users toward speculative financial behavior without safeguards or disclosures.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The function sends the full event text to a third-party AI provider whenever a GLM5 API key is configured, but there is no user disclosure, consent flow, minimization, or indication that prompts may leave the local environment. If users enter sensitive trading ideas, personal data, or proprietary research in the event description, that data is exposed to an external service and may be logged or retained under that provider's policies.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The billing request sends user identifiers to a third-party payment service, but there is no indication in this code of notice, consent, minimization, or protection for that data flow. This is risky because user IDs can become linkable personal data, enabling cross-service tracking, privacy violations, or compliance issues if transmitted without clear disclosure and governance.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal