Prediction Market Watcher

Security checks across malware telemetry and agentic risk

Overview

This skill matches its prediction-market purpose, but it can use live Kalshi credentials to place real-money bets automatically without a clear confirmation gate.

Review carefully before installing. Use demo or scan-only mode first, do not run --run with live credentials unless you want automated real-money bets, protect the Kalshi private key, and add your own confirmation, spending, and notification controls before using it on a real account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill instructs the agent to access local config and key files, make network calls to external trading APIs, and potentially write local state such as risk tracking, yet no permissions are declared. This creates hidden capability expansion: a caller may invoke a seemingly simple monitoring skill that can touch credentials, transmit financial data, and place trades without transparent permission boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The manifest claims broader capabilities than are actually implemented, including Polymarket support, settlement monitoring, proactive reminders, and portfolio summaries. In a financial trading context, this mismatch is security-relevant because users or orchestration logic may rely on nonexistent safeguards or coverage, leading to missed settlements, incorrect assumptions about monitoring, or unintended routing to a trade-capable skill.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation text is broad enough that the skill could be selected for common market-related requests, including ambiguous prompts about prices, portfolios, or opportunities. Because this skill includes live trading capability, overbroad routing materially increases the chance of accidental invocation of a real-money betting workflow in contexts where the user did not clearly request trading.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises betting and trading actions without upfront warning that these are real-money financial transactions with loss risk. In combination with broad activation and live order placement instructions, users may be led into placing bets without clear informed consent or adequate friction, increasing the risk of accidental financial harm.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The --run path directly invokes cmd_scan(..., auto_bet=True), which can place live orders without any interactive confirmation, dry-run default, or explicit acknowledgement of financial risk. In a trading skill, this is especially dangerous because accidental invocation, automation misuse, or prompt/agent chaining could trigger irreversible real-money trades.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This client exposes direct order-placement and cancellation primitives with no built-in confirmation, policy gate, or safety interlock before executing real-money trading actions. In the context of an agent skill explicitly designed to monitor and trade on prediction markets, any upstream prompt injection, logic bug, or mistaken automation could immediately translate into unauthorized or unintended financial transactions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal