Polymarket Weather Bucket Thresholds

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Simmer trading bot that defaults to dry-run, but live mode can sell broader account positions than the advertised weather strategy and runs on a schedule.

Review before installing. Keep it in dry-run unless you are comfortable giving it Simmer account access, and restrict live execution so it only exits positions opened by this strategy or explicitly allowed markets; also verify the warning handling, trade caps, dependency source, and API key privileges.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill metadata declares no permissions, but the analyzer detected capabilities consistent with environment access and network use. That mismatch is dangerous because it prevents reviewers and policy controls from accurately understanding what the skill can do, which is especially relevant for a trading skill that may access secrets and external market APIs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal