Prediction Market Creator

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated purpose, but it can autonomously spend testnet wallet funds and publish prediction markets without a built-in confirmation step or clear limits.

Review this carefully before installing. Use only a dedicated low-value Base Sepolia test wallet, never a main wallet key, and run it manually first. Add or require a confirmation step that shows the proposed market, contract address, deposit, gas settings, and Betbud payload before signing or posting. Avoid cron/24-7 operation unless you also add rate, budget, and monitoring controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Tainted flow: 'data' from requests.get (line 201, network input) → requests.post (network output)

Medium

Category: Data Flow
Content: } try: resp = requests.post(url, headers=headers, json=data, timeout=10) resp.raise_for_status() result = resp.json() print(f"Bubble registered successfully!")
Confidence: 84% confidence
Finding: resp = requests.post(url, headers=headers, json=data, timeout=10)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill signs and submits a blockchain transaction using a locally available private key and sends value with the transaction. This creates irreversible, value-bearing side effects without user confirmation, budget limits, simulation, or a clearly stated safe operational context.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill posts market metadata and wallet information to a live external production service, causing remote state changes outside the local environment. This is dangerous because it couples automated decision-making to a public service without authentication assurances, consent flow, or rollback capability.

Intent-Code Divergence

Low

Confidence: 88% confidence
Finding: The comment frames the public workflow call as safer because there is no hardcoded API key, but the real risk is the live unauthenticated side effect. Such commentary can mislead reviewers into underestimating that the function still creates production records on an external service.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs users to run an agent that will create blockchain markets and register them on an external platform, but it does not provide a clear warning that these are autonomous actions with real effects outside the local environment. Even on a testnet, this can lead to unintended transactions, spammy market creation, platform abuse, or misuse if users deploy it without understanding the operational consequences.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill asks users to supply an Ethereum wallet private key in a .env file but does not include strong guidance on secure handling, scope limitation, or the authority that key grants. Private keys are highly sensitive; if mishandled, logged, committed, reused, or loaded into an unsafe environment, an attacker could take control of the wallet and sign unauthorized transactions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill accesses multiple sensitive secrets including an RPC URL, API keys, and a blockchain private key with no user-facing disclosure or runtime consent. In this context, that is risky because the secrets are then used to perform external calls and sign transactions automatically.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The skill collects third-party content from external services and later transmits derived content to another third party, but there is no disclosure or user control over that data flow. While the fetched tweets are public content, hidden cross-service transmission can still create compliance and trust issues.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The code submits a signed blockchain transaction with attached value and waits for confirmation without any explicit confirmation step. Because blockchain writes are effectively irreversible and spend funds, silent execution materially increases operational and financial risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill sends wallet address, market number, question text, rules, and image URL to an external service without explicit disclosure. In combination with automated market creation, this creates a hidden external publication/registration path that users may not expect.

Ssd 4

Medium

Confidence: 96% confidence
Finding: Untrusted social-media content is injected directly into the LLM prompt, and the model's output is then used to drive consequential actions including on-chain market creation and external registration. This creates an indirect prompt-injection path where malicious or manipulative posts can steer the model toward unsafe, abusive, or policy-violating outcomes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal