Back to skill

Security audit

Polymarket Live Bet

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it asks an agent to handle real-money Polymarket betting and token approvals without clear safety limits or confirmation rules.

Review carefully before installing. Use only with a limited wallet, small capped allowances, and manual approval for every signature, token approval, and order. Do not give it broad private-key access or let it trade autonomously without external spending limits and a way to revoke allowances.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises live betting, token approvals, and trading automation but does not clearly warn users that it can trigger real-money financial transactions and blockchain token approvals. This increases the chance of uninformed or accidental use, especially because approvals can grant spending authority beyond a single action and live trading can lead to immediate monetary loss.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.