Back to skill

Security audit

PolyFly Predictions

Security checks across malware telemetry and agentic risk

Overview

PolyFly is an instruction-only prediction-market skill, but it enables real HBAR/USDC account actions without enough user-control guidance.

Install only if you intend for an agent to interact with a real prediction-market account. Require explicit confirmation before every HBAR/USDC bet, market creation, or claim; set strict spend limits; restrict which markets may be used; and treat API keys/JWTs as financial credentials that should not be exposed in prompts, logs, or transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs agents to place bets, create markets, and claim winnings involving HBAR/USDC without any explicit warning about financial loss, irreversible transfers, jurisdictional restrictions, or the need for user authorization. In an agent context, this is risky because an operator could enable the skill and unintentionally allow autonomous financial activity using real assets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.