Polymarket Edge

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Polymarket trading purpose, but it ships with an embedded billing API key and weak controls around automated real-money trading.

Review carefully before installing. Remove and rotate the embedded SkillPay key, require billing credentials from secure environment configuration, avoid exposing the API to untrusted callers, and do not enable auto_trade or provide a Polymarket private key unless you have strict wallet isolation, spend limits, and a clear stop procedure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented behavior understates materially sensitive capabilities: live trading scaffolding, billing-management endpoints, and especially the note that code may use a hardcoded external SkillPay API key. Misleading or incomplete disclosure can cause users or integrators to invoke a skill with financial side effects or trust boundaries they did not consent to, and a hardcoded credential would create direct secret-exposure risk if present in code.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The file contains a hard-coded fallback SkillPay API key, which is a real secret embedded in source code. Anyone with access to the code can extract and abuse that credential to charge users, query balances, or generate payment links against the billing backend; in a trading skill, billing access is ancillary and expands risk unnecessarily.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README documents starting an auto-trader with live trading enabled, but the warning is limited to using a burner wallet and does not clearly state that the system can place recurring real-money trades automatically and incur rapid financial losses. In a trading skill, unclear disclosure around autonomous order placement materially increases the chance of unsafe user operation and unintended losses.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README instructs users to export a private key directly into an environment variable and integrate it into live trading code, but does not adequately warn that compromise of this key enables full wallet takeover and irreversible asset loss. Because this skill is designed for automated market interaction, encouraging operational use of raw private keys without stronger handling guidance creates significant credential exposure risk.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The live-trading section says users can start the auto-trader with `auto_trade=true` after setting a private key and optionally uncommenting code, but it does not define strong guardrails, confirmation steps, dry-run defaults, or trade limits. In a financial skill, ambiguous activation semantics increase the chance of accidental order placement and unintended use of real funds.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The auto-trader endpoints are presented like ordinary API operations, but the documentation does not clearly warn that starting the service can ultimately execute live trades and affect wallet funds when trading is enabled. Because this skill operates in a real-money prediction market context, insufficient warning materially increases the risk of user harm through accidental financial actions.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The /signal endpoint accepts auto_trade=true and explicitly notes that it can place real orders, but it does not require any stronger confirmation, role restriction, or safety interlock beyond a query parameter. In a trading skill, this increases the chance that a caller, agent, or integration unintentionally triggers live trades using a configured private key, causing real financial loss.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The /autotrader/start endpoint can launch a persistent background trading loop with auto_trade=true, again gated only by a query parameter and without strong user-facing or server-side safety controls. Because this can repeatedly place real orders over time, accidental or unauthorized activation is more dangerous than a one-shot signal run and could amplify losses before detection.

Env Variable Harvesting

High

Category: Data Exfiltration
Content: BILLING_URL = "https://skillpay.me/api/v1/billing" API_KEY: str = os.environ.get( "SKILL_BILLING_API_KEY", "sk_f6d35052e6659e9a20a240890b42949b9eeb5c3d40305513eec12333f3625b91", )
Confidence: 98% confidence
Finding: os.environ.get( "SKILL_BILLING_API_KEY

Unpinned Dependencies

Low

Category: Supply Chain
Content: fastapi>=0.111.0 uvicorn[standard]>=0.29.0 httpx>=0.27.0
Confidence: 92% confidence
Finding: fastapi>=0.111.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: fastapi>=0.111.0 uvicorn[standard]>=0.29.0 httpx>=0.27.0 # Optional: for live order placement on Polymarket CLOB # py-clob-client>=0.17.0
Confidence: 92% confidence
Finding: httpx>=0.27.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal