Polymarket Smart Money

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Polymarket wallet-analysis skill, but users should trust and review the separate local Python project it runs.

Install/use this only if you trust the referenced local PolyAnalysis project, because the skill tells the agent to run Python code outside the reviewed package. Protect any Alchemy RPC key in .env, and clear the local cache when stored wallet-analysis data is no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The manifest description includes broad trigger phrases such as "analyze wallet," "leaderboard," and "copy trading," which can match ordinary user requests and cause the skill to activate outside its intended scope. Over-broad activation can route unrelated prompts into a tool that executes local scripts and accesses external data, increasing the chance of unintended execution paths and user confusion.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The instruction to always use Chinese for user-facing output assumes a language preference without explicit user choice. This can cause misleading or inaccessible responses, and in multi-step workflows may increase the chance that users misunderstand analysis results or safety-relevant caveats.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal