Polymarket Worldcup Watcher

Security checks across malware telemetry and agentic risk

Overview

This is a small Polymarket odds-monitoring skill whose Telegram alerts are disclosed and fit its stated purpose, though users should understand the external sharing involved.

Install only if you are comfortable with market alerts being sent through Telegram and with using Polymarket API access, possibly through a proxy. Configure Telegram bot tokens and chat IDs carefully, and treat the USDT subscription/contact flow as a separate trust decision about the publisher.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill explicitly sends alerts to Telegram, an external third-party messaging platform, but does not disclose what data is transmitted, how chats/bots are configured, or the privacy implications. This can expose monitoring activity, market interests, account-linked metadata, or channel membership to external services and mislead users into enabling data egress they did not fully understand.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal