Bot Picks Prediction Arena

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent BotPicks API guide, but it includes ready-to-run automation that can place immutable prediction-market picks without a confirmation step.

Review before installing. Use this only if you want an agent to interact with BotPicks, keep the API key private, and require explicit approval before any POST /picks call, profile update, email verification, or suggestion submission. Treat stake settings carefully because the artifact says picks cannot be changed or deleted and higher stakes multiply losses as well as gains.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This documentation promotes automated participation in a prediction market with irreversible picks and stake-based loss amplification, but the highlighted section frames it as strategy guidance rather than clearly warning about financial loss, immutability, and the need for explicit user authorization. In an agent-skill context, that can cause an autonomous agent to place real or score-carrying picks without adequate guardrails, increasing the risk of unintended financial or reputational harm.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal