Polymarket Weather Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed weather-market trading skill that defaults to dry-run mode but can place real Polymarket trades when explicitly run live.

Install only if you intend to give this skill access to Simmer account data and possible trading authority. Start with dry-run, keep small max-position and max-trades settings, protect or rotate the SIMMER_API_KEY, and enable --live, --quiet, cron, or --no-safeguards only after you understand the financial risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation says 'Execute real trades' for the --live flag, but it does not prominently warn that this submits actual market orders using real funds and can cause financial loss. In an automated trading skill, insufficient warning materially increases the chance of accidental execution by users who may treat command examples as safe to paste.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal