Back to skill

Security audit

Orcatrace

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed API guide for Polymarket intelligence, with expected privacy and payment considerations but no hidden code or install behavior.

Install only if you are comfortable querying an external Polymarket-intelligence API and, for paid routes, using a wallet/private key setup that can authorize USDC payments on Base. Treat the published wallet analytics as public-chain intelligence with privacy implications, and verify costs and payment requirements before enabling automated paid calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly states that free endpoints publish full public wallet addresses, which are blockchain-public but still sensitive when aggregated, labeled, and redistributed with behavioral scoring. This creates privacy and targeting risk by making it easier to profile, track, or harass specific traders, especially since the documentation emphasizes cross-checking and reuse by downstream agents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.