Polymarket Arb Bot

Security checks across malware telemetry and agentic risk

Overview

This automated trading skill has real financial authority plus under-disclosed external messaging, exposed secrets, and unsafe code paths that need review before installation.

Do not install this as-is for a funded wallet. Only consider it after removing hardcoded Telegram credentials, rotating exposed secrets, deleting wallet_backup.txt, replacing eval with safe parsing, disabling or isolating Chrome DevTools/browser automation, and verifying exactly which trading strategy and background watchdog processes will run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (48)

eval() call detected

High

Category: Dangerous Code Execution
Content: if events and events[0].get('markets'): markets = events[0]['markets'] if markets: token_ids = eval(markets[0].get('clobTokenIds', '[]')) if token_ids: # UP = token_ids[0], DOWN = token_ids[1] token_id = str(token_ids[0] if direction == "UP" else token_ids[1])
Confidence: 99% confidence
Finding: token_ids = eval(markets[0].get('clobTokenIds', '[]'))

eval() call detected

High

Category: Dangerous Code Execution
Content: if events and events[0].get('markets'): markets = events[0]['markets'] if markets: token_ids = eval(markets[0].get('clobTokenIds', '[]')) if len(token_ids) >= 2: return str(token_ids[0]), str(token_ids[1]) # UP, DOWN except:
Confidence: 99% confidence
Finding: token_ids = eval(markets[0].get('clobTokenIds', '[]'))

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print("📡 开始推送日志...\n") # 实时读取进程输出 proc = subprocess.Popen( ['tail', '-f', f'/proc/{pid}/fd/1'], stdout=subprocess.PIPE, stderr=subprocess.PIPE,
Confidence: 87% confidence
Finding: proc = subprocess.Popen( ['tail', '-f', f'/proc/{pid}/fd/1'], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True )

Tainted flow: 'markets' from requests.get (line 270, network input) → eval (code execution)

Critical

Category: Data Flow
Content: if events and events[0].get('markets'): markets = events[0]['markets'] if markets: token_ids = eval(markets[0].get('clobTokenIds', '[]')) if token_ids: # UP = token_ids[0], DOWN = token_ids[1] token_id = str(token_ids[0] if direction == "UP" else token_ids[1])
Confidence: 100% confidence
Finding: token_ids = eval(markets[0].get('clobTokenIds', '[]'))

Tainted flow: 'markets' from requests.get (line 78, network input) → eval (code execution)

Critical

Category: Data Flow
Content: if events and events[0].get('markets'): markets = events[0]['markets'] if markets: token_ids = eval(markets[0].get('clobTokenIds', '[]')) if len(token_ids) >= 2: return str(token_ids[0]), str(token_ids[1]) # UP, DOWN except:
Confidence: 100% confidence
Finding: token_ids = eval(markets[0].get('clobTokenIds', '[]'))

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The README describes an "arbitrage bot" with single-market and cross-market arbitrage features, while the skill metadata says it is a 5-minute UP/DOWN prediction bot driven by Binance technical analysis. This mismatch is security-relevant because users may grant credentials, capital, or deployment approval under false assumptions about the bot's behavior, increasing the chance of unsafe operation or misuse.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The README publicly exposes a specific Polygon wallet address and references a backup file containing wallet material. In the context of an automated betting bot that can place live trades, disclosing operational wallet details and backup artifact names increases the risk of targeted theft attempts, social engineering, or accidental exposure of sensitive key material.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The implementation diverges from the advertised architecture by placing orders through a local polymarket CLI instead of the declared CLOB API and gnosis-safe wallet flow. In a trading skill, this mismatch is dangerous because users may assume protected multisig or wallet controls exist when the code can trigger direct live orders through whatever local credentials the CLI uses.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The bot contains outbound Telegram messaging with embedded credentials and sends live trading details to a third party. In a trading skill, this introduces undisclosed exfiltration and expands the trust boundary beyond market APIs into personal messaging infrastructure.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The file documents an automatic close-out strategy, but check_close_trigger() is disabled in this file. This mismatch can mislead operators into believing positions will be exited before market end when they may remain open, increasing financial exposure and undermining safe operation.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The startup messages explicitly claim a 270-second close-out strategy that this file does not perform. While not code execution, inaccurate operator-facing safety claims are risky in an autonomous trading system because they can cause misplaced trust and delayed intervention.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The file header and behavior indicate an arbitrage scanner/bot, while the skill metadata describes a 5-minute prediction-trading bot driven by Binance technical analysis. This mismatch is dangerous because users may authorize trading or monitoring under false assumptions, causing unintended market actions, strategy misuse, and trust boundary violations in an automated financial context.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The inline documentation explicitly says the bot focuses on arbitrage, contradicting the declared prediction-based purpose. In an automated trading skill, misleading documentation can cause operators, reviewers, or downstream agents to deploy the wrong financial behavior and underestimate the associated risk.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module claims to execute trades via the Polymarket CLI, but the functions only print messages and unconditionally return success. In an automated trading context, this can cause upstream orchestration to believe hedges or bets were placed when no orders were sent, creating unhedged exposure, incorrect accounting, and dangerous operational decisions.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script attaches to an already-running Chrome instance over the DevTools remote debugging protocol and drives arbitrary page navigation plus DOM/script evaluation. That capability is powerful and can expose browser session data or interfere with other tabs if the debugging port is enabled broadly, which is risky in a trading bot context because it exceeds simple market-data retrieval and relies on a sensitive local browser control channel.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script attaches to an already-running Chrome instance via the DevTools debugging port, which can inherit that browser's authenticated sessions, cookies, and broader browsing context. It then unconditionally calls browser.close(), potentially terminating a user or shared automation browser and enabling disruption or unintended access beyond the narrow task of scraping a public Polymarket page.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The file's implemented behavior materially diverges from the skill's stated purpose: it performs simplistic arbitrage detection instead of 5-minute crypto direction prediction and automated Polymarket trading support. In a trading bot context, this capability mismatch is dangerous because operators may trust the skill for one strategy while it silently executes or informs another, increasing the chance of financial loss, incorrect automation, or deployment of unreviewed trading logic.

Intent-Code Divergence

Low

Confidence: 86% confidence
Finding: The module presents itself as machine-learning-based detection, but the implementation is only a basic heuristic using price deviation and liquidity scoring. In a financial automation context, misleading claims about analytical sophistication can cause users to over-trust outputs, weaken review scrutiny, and make risky trading decisions based on an unsound model.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: This helper exfiltrates trading activity to an external Telegram endpoint, which is outside the core Polymarket trading function described for the skill. Even if intended as monitoring, it creates an undisclosed outbound data channel that exposes sensitive operational details such as trades, timing, and amounts to a third party and to whoever controls the bot token/chat.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The script contains hardcoded Telegram bot credentials and a fixed chat ID, which is a direct secret exposure and enables unauthorized use of the bot and message destination. In a trading bot context, this is especially risky because it can leak live trading activity and provides a persistent covert notification channel tied to a specific external account.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The presence of browser automation libraries in a crypto trading/betting bot materially increases risk because they can drive authenticated browser sessions, access cookies, and perform actions outside documented APIs. In the context of automated Polymarket trading and wallet use, this creates a credible path to unauthorized trades, wallet interaction abuse, or covert scraping/account manipulation if the skill uses the browser as a privileged control channel.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The file embeds a live Telegram bot token and chat ID, enabling unauthorized use of the bot if the code is exposed. In a trading bot context, outbound messaging can leak sensitive trade activity and give an attacker a reusable credential for external communications.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: This file's behavior materially differs from the stated purpose of an API-based Polymarket trading bot: it drives a locally exposed Chrome DevTools interface to scrape data from a browser session. That mismatch is dangerous because CDP access can expose browser state, cookies, and open pages, and users invoking a trading skill would not reasonably expect browser automation against their local Chrome instance.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Controlling a local Chrome DevTools endpoint is far more privileged than necessary for the manifest's stated API-based trading purpose. If a local Chrome instance is running with remote debugging enabled, this code can inspect or manipulate browser tabs and execute JavaScript in page context, which creates substantial risk of unintended access to sensitive session data or interference with the user's browser.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The script is presented as a log viewer, but its actual behavior is to start the trading bot process and stream its output. In a trading skill context, this mismatch is risky because a user may believe they are performing passive observation while actually triggering live automated trading activity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal