Polymarket Mispricing Events

Security checks across malware telemetry and agentic risk

Overview

This skill is an automated prediction-market trader that is disclosed, but it can run on a schedule and place live-money trades without a clear per-trade approval step.

Install only if you intentionally want an unattended prediction-market trading automaton. Keep TRADING_VENUE set to sim until fully tested, use restricted API credentials, set conservative trade and position limits, and confirm how to pause or uninstall the scheduled job before enabling live-money trading.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly discusses trading and includes a 'live' real-money mode, but it does not provide a clear up-front warning that execution may place real financial trades and change account positions. That omission can lead users to enable or run the skill without understanding that it may cause irreversible monetary loss, particularly because the strategy automates entry decisions and sizing. The surrounding context makes this more dangerous, not less, because the skill is specifically designed to detect opportunities and trade them automatically.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal