Polymarket CLI & Arb Scanner

Security checks across malware telemetry and agentic risk

Overview

This Polymarket skill is related to its stated purpose, but it needs Review because it can affect real funds and includes unsafe install and command-execution patterns.

Install only after reviewing or replacing the installer with a pinned, verified release. Use read-only commands by default, do not paste real private keys into chat or command lines, and require explicit confirmation of market, side, price, size, wallet, fees, and irreversible effects before any trade, approval, deposit, split, merge, redeem, or cancel-all action. Avoid the TypeScript expiry arbitrage scanner with untrusted query text until its shell command construction is fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill instructs the agent to use shell commands extensively, including installation and trading operations, but does not declare corresponding permissions. This creates a mismatch between the documented behavior and the security model, increasing the chance that an agent executes impactful commands without explicit authorization boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The skill description frames the capability as browsing and trading on Polymarket, but the content also includes software installation via a remote script, wallet management, and other higher-risk operational behavior not clearly disclosed. Users or orchestrators may invoke the skill under a lower-risk assumption and unintentionally permit supply-chain exposure or financial actions beyond the declared purpose.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The example shows importing a wallet using a raw private key directly on the command line, which is a sensitive secret handling anti-pattern. Command-line arguments can be exposed through shell history, process listings, logs, screenshots, and copied transcripts, making credential compromise and wallet theft more likely.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The trading examples include placing market/limit orders and cancelling orders without any warning that these are live financial actions that can commit funds, incur losses, or behave irreversibly once matched. In an agent skill context, examples strongly influence tool use, so omission of risk and confirmation guidance increases the chance of unintended real-money trades.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill provides concrete commands for placing orders, approving contracts, bridging, splitting/merging, and redeeming without an explicit warning that these actions can move real funds and may be irreversible. In an agent context, this omission materially increases the risk of accidental trades, token approvals, or on-chain transactions being executed without informed user confirmation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The authentication section documents wallet creation/import and notes config storage, but does not warn that private keys and wallet material are highly sensitive and must not be exposed to logs, prompts, or shared files. In an agent-assisted workflow, users may paste secrets directly into the interface, leading to credential theft or long-term compromise of blockchain assets.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script interpolates the untrusted CLI argument `query` directly into a shell command passed to `execSync(..., { shell: "/bin/bash" })`. Because the value is embedded inside a double-quoted shell string, shell metacharacters such as command substitution `$(...)` or backticks can still be evaluated, allowing arbitrary command execution on the host running the skill.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The installer executes shell scripts fetched directly from the network (`curl | sh`) without integrity verification, pinning to a trusted commit, or explicit user confirmation. This creates a supply-chain execution path where a compromised upstream repository, CDN, or network trust boundary could result in arbitrary code execution on the host during installation.

Session Persistence

Medium

Category: Rogue Agent
Content: ```bash polymarket setup # Interactive wizard # Or manually: polymarket wallet create # New wallet polymarket wallet import 0xKEY... # Import existing polymarket approve set # Approve contracts (needs MATIC) ```
Confidence: 84% confidence
Finding: create # New wallet polymarket wallet import 0xKEY... # Import existing polymarket approve set # Approve contracts (needs MATIC) ``` Config stored at `~/.config

External Script Fetching

Low

Category: Supply Chain
Content: Binary must be installed. If missing: ```bash curl -sSL https://raw.githubusercontent.com/Polymarket/polymarket-cli/main/install.sh | sh # Or build from source: # cargo install --path /tmp/polymarket-cli ```
Confidence: 97% confidence
Finding: curl -sSL https://raw.githubusercontent.com/Polymarket/polymarket-cli/main/install.sh | sh

Chaining Abuse

High

Category: Tool Misuse
Content: Binary must be installed. If missing: ```bash curl -sSL https://raw.githubusercontent.com/Polymarket/polymarket-cli/main/install.sh | sh # Or build from source: # cargo install --path /tmp/polymarket-cli ```
Confidence: 99% confidence
Finding: | sh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal