Back to skill

Security audit

Polymarket Signal Sniper

Security checks across malware telemetry and agentic risk

Overview

This is a real-money trading skill with mostly coherent disclosures, but it has high-impact wallet/account authority and at least one automatic account-level action that is not clearly user-gated.

Install only if you intend to let this skill inspect a Simmer trading account and potentially place real Polymarket trades. Use dry-run or paper mode first, prefer a dedicated low-balance wallet, avoid using a production private key, and do not run --live unattended unless you accept the auto-redeem behavior and the lack of per-trade confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes capabilities that require network access, environment secret access, and persistent local state, but it does not declare permissions accordingly. This undermines user consent and platform enforcement because a user may install a seemingly harmless skill that can read secrets, write files, and place trades through external APIs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose frames the skill as monitoring/sniping opportunities, but the content shows materially more sensitive behavior: executing live trades, querying portfolio data, persisting history, and interacting with external account/trade APIs. This mismatch is dangerous because users may authorize or run the skill without realizing it can affect funds, expose financial data, and maintain local state beyond simple feed monitoring.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script communicates with Simmer account APIs and uses a Simmer bearer token even though the skill is ներկայացված as a Polymarket/RSS signal-sniping tool. This mismatch is a supply-chain integrity issue: users may grant credentials or run code under false assumptions, increasing the risk of unintended data access and account interaction.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header and CLI usage identify this as a 'Simmer Account Status' tool, which conflicts with the advertised Polymarket signal-sniping capability. In a third-party skill, such inconsistencies are dangerous because they can disguise unrelated financial-account access code and undermine a user's ability to make informed trust decisions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill performs an automatic portfolio-affecting action at startup by calling auto_redeem() before scanning feeds. Even if redemption is beneficial, it exceeds the stated RSS monitoring/signal-sniping purpose and can change account state without an explicit user-triggered action for that run.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The CLI help for --scan-only claims 'Only scan, don't analyze', but the implementation still fetches market context and evaluates safeguards before stopping. This is a trust and transparency issue: users may choose the mode expecting a passive scan, while the skill still performs richer account/market analysis than promised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to place a wallet private key in an environment variable and emphasizes operational convenience, but it does not provide strong secret-handling guidance, storage restrictions, or warnings about compromise impact. In a trading skill, exposure of this key can directly lead to unauthorized orders and loss of funds, making the context particularly sensitive.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The manifest advertises support for self-custody trading via a wallet private key, but it does not define any trigger restrictions, approval gates, or other invocation constraints in the manifest itself. In a trading skill, this expands the blast radius of any downstream logic flaw or prompt-injection issue by enabling real-money actions with user-managed credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Passing --live causes the skill to execute real trades immediately without an interactive confirmation step or equivalent safety interlock. In a trading skill handling financial transactions, this increases the chance of accidental execution from operator error, automation misuse, or misunderstood defaults and flags.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.