Simmer Momentum Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Simmer/Polymarket trading template that defaults to dry-run and only places real trades when live mode is explicitly used.

Install only if you are comfortable connecting a Simmer trading API key. Keep it in dry-run until you review the strategy and SDK, restrict `MARKET_IDS`, use a small `TRADE_AMOUNT`, and understand that running with `--live` can place real trades.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documentation indicates it reads sensitive configuration from environment variables, including `SIMMER_API_KEY`, but no permissions are declared for that capability. Undeclared access to environment data weakens transparency and reviewability, and in a trading skill this is more sensitive because API keys can authorize real market actions if the skill is run live.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal