Polymarket Sports Live

Security checks across malware telemetry and agentic risk

Overview

This is a transparent sports-trading automaton, but live mode can place repeated real-money trades without a final confirmation or overall exposure cap.

Install only if you intend to run an automated trading bot. Keep the default dry-run or simulated venue until tested, use a limited API key if possible, set a small SPORTS_TRADE_SIZE, confirm whether the automaton is live or simulated, and monitor or disable the cron job if you do not want continuous trading.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: When run with --live, the skill proceeds directly to client.trade() based on model signals without an explicit confirmation or last-minute warning at the irreversible execution point. In an automated trading skill handling real funds, this increases the chance of accidental order placement due to operator error, misconfiguration, or stale assumptions about venue/environment.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal