Polymarket Spread Sniper

Security checks across malware telemetry and agentic risk

Overview

This automated trading skill is disclosed enough to avoid a malicious finding, but it needs Review because its live-trading authority, bundled risk limits, and credential handling are broader than users may expect.

Install only if you intentionally want an automated trading bot. Before using --live or any cron job, lower config.json risk caps, use a restricted SIMMER_API_KEY with only the funds and permissions you are willing to expose, avoid broad workspace .env files, start with dry runs, and monitor the local position, daily spend, and P&L log files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises operational behavior that clearly requires environment access, local file read/write, and network access, but it does not declare any permissions. Undeclared capabilities are dangerous because they hide the actual trust boundary from reviewers and operators, making it easier for the skill to access credentials, persist data, and communicate externally without explicit approval.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documented purpose frames the skill as a simple trading algorithm, but the behavior also includes redemption actions, direct external API access outside the SDK, persistent local journaling, and P&L/history logging. This mismatch is risky because operators may approve the skill expecting only market scanning/trading logic, while it also performs additional stateful and networked actions that affect funds, privacy, and auditability.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The configuration materially weakens the stated strategy controls: a nearly unlimited daily spend, a 50% take-profit, and a 33% time-stop diverge from a conservative 3% edge-sniping approach and can expose the agent to outsized capital deployment and prolonged risk. In an automated trading skill, these mismatches are dangerous because operators may rely on the manifest description while the actual runtime behavior takes much larger and riskier positions than expected.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: This script adds account-settlement behavior for Simmer that is outside the stated Polymarket spread-sniping scope, creating hidden operational capability beyond what a user might expect from the skill description. In an agent environment, mismatched scope increases risk because a user may grant or run the skill without realizing it can act on a separate external account and mutate balances via redemption.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script reads a workspace-level .env and consumes a SIMMER_API_KEY for an external service that is not justified by the advertised Polymarket-only purpose. This broadens the skill's access surface and can cause users to unintentionally expose unrelated credentials to code they did not expect to interact with another platform.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The script walks up parent directories and parses a .env file directly, which expands its credential access beyond explicit process environment configuration. That behavior is broader than necessary for a simple reporting utility and can unintentionally pull in secrets from a repository or workspace root, increasing accidental secret exposure risk.

Missing User Warnings

Low

Confidence: 77% confidence
Finding: When verbose mode is enabled, the script prints market questions and P&L details to stdout, and the docstring shows likely cron-based logging to a file. This can leak trading history or sensitive financial metadata to logs or shared environments, especially if log retention or file permissions are weak.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script appends portfolio-derived financial snapshots to a local log file by default, potentially creating a persistent record of balances and P&L without explicit opt-in. On shared systems or loosely permissioned workspaces, this can expose sensitive trading information to other users or processes.

Missing User Warnings

High

Confidence: 88% confidence
Finding: The script can place real trades immediately when run with --live, without a confirmation prompt, interlock, or separate approval step. In a trading skill, this is materially dangerous because a typo, automation mistake, or accidental invocation can trigger irreversible financial actions with live funds.

Credential Access

High

Category: Privilege Escalation
Content: python scripts/sim_redeem.py --source sdk:spreadsniper # filter by source Cron (every 15 min): */15 * * * * source ~/.openclaw/workspace/.env && \\ python3 ~/.openclaw/workspace/skills/polymarket-spread-sniper/scripts/sim_redeem.py --live \\ >> ~/.openclaw/workspace/skills/sim_redeem.log 2>&1 """
Confidence: 74% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: def _load_env(): env_path = Path(__file__).resolve().parents[4] / ".env" if env_path.exists(): for line in env_path.read_text().splitlines(): line = line.strip()
Confidence: 86% confidence
Finding: .env"

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal