Back to skill

Security audit

Polymarket Market Maker

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading automation skill with real financial risk only when the user explicitly enables live mode.

Install only if you understand Polymarket market-making and can monitor open orders, inventory, and balances. Start with dry-run, use small quote sizes and an explicit market allowlist, avoid unsupported market types, keep API and wallet secrets in secure storage, and treat any --live cron or automaton run as real unattended trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation creates ambiguity about whether running the script without `--live` is non-destructive, while other sections describe unconditional order posting and cancellation behavior. In a trading skill, unclear mode semantics can cause users or automation to place or cancel real orders unexpectedly, leading to unintended financial exposure.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill is presented as binary-only, yet the limitations section states it will still quote `neg_risk` multi-outcome markets even though its `1-ask_yes` pricing logic is incorrect there. That is a real safety flaw because users may deploy the strategy on unsupported market structures and systematically post mispriced orders, creating direct loss risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The live trading and cron sections encourage automated recurring execution but do not prominently warn that each run may submit and cancel real GTC orders, changing inventory and tying up capital. In an automated trading context, missing warnings materially increase the chance of accidental repeated market interaction and unmanaged exposure.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The instructions show use of a live API key (`sk_live_...`) without adjacent guidance on secure storage, rotation, or avoiding shell history leakage. While this is common operational documentation, in a wallet-connected trading skill it increases the risk of credential exposure and unauthorized trading if users handle the key unsafely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest explicitly invites users to provide a WALLET_PRIVATE_KEY for self-custody trading, but the description does not include any warning about the sensitivity of that secret, storage/handling expectations, or the financial risk of automated trading. In a trading skill, this omission is material because users may expose a signing key to automation without understanding the custody and loss implications.

Unpinned Dependencies

Low
Category
Supply Chain
Content
simmer-sdk>=0.13.0
Confidence
93% confidence
Finding
simmer-sdk>=0.13.0

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.