Decker + Polymarket

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only Polymarket trading helper, but it asks users to export and store a wallet private key with a third-party service.

Install only if you understand this can guide real Polymarket trades and may require trusting Decker with wallet-level authority. Use a dedicated low-balance wallet, verify every market slug and order manually, and do not provide a primary wallet private key or seed phrase.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly instructs users to export a Polygon wallet private key from MetaMask and paste it into Decker. That is highly sensitive credential handling guidance: exporting a wallet key dramatically increases the chance of irreversible asset theft if the service is compromised, misconfigured, logged, or spoofed, and the warning present is not sufficient relative to the severity of the action.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal