Back to skill

Security audit

permissionless prediction markets

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate prediction-market skill, but it can use a wallet private key to submit live Base mainnet transactions and grant persistent token-spending approvals with limited safety warnings.

Review this carefully before installing. Use only a dedicated low-balance wallet, avoid primary wallet keys, verify contract and token addresses independently, prefer exact or revocable approvals over unlimited allowances, and treat all create/trade/settle/redeem examples as live mainnet actions that can spend funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill requires sensitive environment variables, including a wallet private key, but the metadata does not declare permissions or prominently frame the security implications of handling secrets. In an agent setting, undeclared secret access can lead to unexpected key use or accidental exposure because users may not realize the skill needs signing authority.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill normalizes automatic ERC20 approvals and specifically promotes infinite approvals without a prominent warning that this grants ongoing token-spending authority to external contracts. If the approved contract is compromised, upgraded maliciously, or misconfigured, a user could lose all approved token balances, making this especially dangerous in a blockchain trading skill where real assets are involved.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to initialize the SDK with a raw private key and then demonstrates direct on-chain write operations such as market creation, trading, settlement, and redemption, but it does not prominently warn that these actions sign real transactions and can spend funds. In a blockchain trading context, this omission can mislead integrators into unsafe key handling or accidental mainnet execution, increasing the risk of fund loss or key compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example demonstrates live on-chain actions including market creation, trading, settlement, and redemption using a real private key and mainnet Base RPC, but it does not warn that these actions can spend funds and trigger irreversible transactions. In a prediction-market skill, users are especially likely to copy-paste examples directly, so omission of safety notice materially increases the chance of accidental real-asset loss or unintended market activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The batch creation example can create multiple live markets in sequence, each potentially locking collateral and incurring fees, yet it provides no warning that repeated on-chain actions will be submitted automatically. Because this skill is specifically for prediction-market infrastructure, batch operations are plausible production workflows, which makes copy-paste misuse more likely and the missing caution more dangerous.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The trading bot example automatically places trades based on price thresholds without warning that it can execute real trades with live funds. In the context of an agent skill for market infrastructure, automation is a core use case, so failing to highlight autonomous spending and trading risk can lead to immediate unintended financial exposure.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
1. **First interaction requires approval**: When you create a market or trade for the first time with a token, an approval transaction is sent
2. **Infinite approvals**: The SDK uses `type(uint256).max` approvals (standard EVM pattern) so you only approve once per token
3. **Subsequent interactions**: No approval needed—transactions execute directly

### Timing Considerations
Confidence
86% confidence
Finding
No approval

Unpinned Dependencies

Low
Category
Supply Chain
Content
"redeem": "npx ts-node redeem.ts"
  },
  "dependencies": {
    "pnp-evm": "^0.1.2",
    "ethers": "^6.0.0"
  },
  "devDependencies": {
Confidence
95% confidence
Finding
"pnp-evm": "^0.1.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "pnp-evm": "^0.1.2",
    "ethers": "^6.0.0"
  },
  "devDependencies": {
    "ts-node": "^10.9.0",
Confidence
95% confidence
Finding
"ethers": "^6.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"ethers": "^6.0.0"
  },
  "devDependencies": {
    "ts-node": "^10.9.0",
    "typescript": "^5.0.0",
    "@types/node": "^20.0.0"
  }
Confidence
86% confidence
Finding
"ts-node": "^10.9.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "devDependencies": {
    "ts-node": "^10.9.0",
    "typescript": "^5.0.0",
    "@types/node": "^20.0.0"
  }
}
Confidence
84% confidence
Finding
"typescript": "^5.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"devDependencies": {
    "ts-node": "^10.9.0",
    "typescript": "^5.0.0",
    "@types/node": "^20.0.0"
  }
}
Confidence
80% confidence
Finding
"@types/node": "^20.0.0"

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.