Neckr0ik Polymarket Trader

Security checks across malware telemetry and agentic risk

Overview

This is a market-data scanning skill that appears purpose-aligned and does not trade, persist, delete data, or hide extra behavior.

Before installing, treat this as an informational trading tool, not a guaranteed-profit system. Use only limited-scope Polymarket credentials if you set POLYMARKET_API_KEY, verify market and fee assumptions yourself, and be aware that some documented features such as webhook alerts and monitoring are not present in the packaged script.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents a --webhook option for alerting without warning that market-monitoring outputs will be sent to an external URL. Even if the data is not highly sensitive, webhook transmission can leak trading interests, monitored markets, timing signals, and operational metadata to third parties, which is especially relevant for a trading/arbitrage workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal