Back to skill

Security audit

Polymarket Copytrading

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed copytrading skill with expected trading and API access, but it can automatically trade real funds if configured for live or Reactor mode.

Install only if you intentionally want automated copytrading. Start in dry-run or $SIM mode, prefer managed wallets, and if you use a raw private key use a dedicated low-balance trading wallet. Before enabling Reactor, review the server-side watchlist, venue, max_size, daily_cap, and remember Reactor can place live trades without --live.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to use environment secrets (`SIMMER_API_KEY`, `WALLET_PRIVATE_KEY`) and make network requests to external APIs, but it does not declare those capabilities/permissions. That creates a transparency and policy gap: a user or platform may invoke a skill that can access sensitive credentials and perform live trading/network actions without an explicit permission boundary.

Vague Triggers

Low
Confidence
76% confidence
Finding
The activation guidance is broad enough to match generic wallet-inspection or follow-wallet requests, which could cause the skill to trigger in contexts where the user did not intend copytrading behavior. In this skill's context, overbroad activation is more concerning because the same skill can transition from passive inspection to trading commands and handles sensitive wallet/trading settings.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest explicitly solicits a WALLET_PRIVATE_KEY as an environment variable but does not present an explicit security warning, safer handling guidance, or strong preference for managed wallets at the point of collection. In a trading skill, a private key grants direct control over funds, so normalizing its entry without prominent risk messaging increases the chance of user credential exposure, unsafe key reuse, or accidental funding loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Reactor mode explicitly bypasses the script’s default dry-run safety and immediately places live trades whenever --reactor is used. In a financial trading skill, that behavior increases the chance of accidental real-money execution from automation, copy-pasted commands, or operator misunderstanding, especially because the mode is polling external signals and can run continuously.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
except ImportError:
            print("Error: simmer-sdk not installed. Run: pip install simmer-sdk")
            sys.exit(1)
        api_key = os.environ.get("SIMMER_API_KEY")
        if not api_key:
            print("Error: SIMMER_API_KEY environment variable not set")
            print("Get your API key from: simmer.markets/dashboard -> SDK tab")
Confidence
70% confidence
Finding
os.environ.get("SIMMER_API_KEY

Env Variable Harvesting

High
Category
Data Exfiltration
Content
top_n = int(COPYTRADING_TOP_N) if COPYTRADING_TOP_N else None

    return {
        "api_key_set": bool(os.environ.get("SIMMER_API_KEY")),
        "wallets": wallets,
        "top_n": top_n,
        "top_n_mode": "auto" if top_n is None else "manual",
Confidence
70% confidence
Finding
os.environ.get("SIMMER_API_KEY

Env Variable Harvesting

High
Category
Data Exfiltration
Content
parser.add_argument("--positions", action="store_true", help="Show detailed positions")
    args = parser.parse_args()

    api_key = os.environ.get("SIMMER_API_KEY")
    if not api_key:
        print("❌ SIMMER_API_KEY environment variable not set")
        print("   Get your API key from: https://simmer.markets/dashboard")
Confidence
70% confidence
Finding
os.environ.get("SIMMER_API_KEY

Unpinned Dependencies

Low
Category
Supply Chain
Content
simmer-sdk>=0.11.1
packaging>=20
Confidence
93% confidence
Finding
simmer-sdk>=0.11.1

Unpinned Dependencies

Low
Category
Supply Chain
Content
simmer-sdk>=0.11.1
packaging>=20
Confidence
89% confidence
Finding
packaging>=20

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High
Category
YARA Match
Content
```bash
# Linux crontab
*/1 * * * * cd /path/to/skill && python copytrading_trader.py --reactor --once --live

# OpenClaw cron
openclaw cron add --name "reactor-poll" --cron "*/1 * * * *" --tz UTC --session isolated \
Confidence
75% confidence
Finding
crontab */1 * * * * cd /path/to/skill && python copytrading_trader.py --reactor --onc

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_venue_routing.py:124