Back to skill

Security audit

Polymarket Wallet X-Ray

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs wallet analysis, but it gives conflicting guidance about authentication and includes authenticated Simmer account access plus copytrading recommendations.

Review this carefully before installing. The main analyzer appears read-only, but do not provide SIMMER_API_KEY unless you intend the skill to access your Simmer account portfolio and positions. Treat the copytrading outputs as unsupported analysis, not financial advice, and be aware that the live-trading disclaimer appears inconsistent with the code that was reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises network and environment-variable use but does not declare permissions, which undermines least-privilege controls and informed consent. In agent environments, undeclared env and network capabilities can expose secrets such as API keys and allow unexpected outbound requests beyond what the manifest suggests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a true trust-boundary and transparency problem: the skill claims to use only public Polymarket APIs with no authentication, yet the documentation requires a Simmer API key and references authenticated Simmer account data. Users or agents may grant broader trust and provide credentials under false assumptions, increasing the risk of unintended data access or exfiltration to a third-party service.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The disclaimer states that running the skill with `--live` places real on-chain orders, which directly contradicts the stated skill purpose of read-only wallet analysis using public APIs and no authentication. This mismatch is dangerous because operators may import a supposedly passive analysis skill that actually contains or is documented as containing trading behavior, creating a serious risk of unauthorized fund movement or deceptive functionality.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
References to strategy defaults, profitability, paper mode, and position sizing describe a trading system rather than a passive wallet x-ray tool. In this context, the discrepancy suggests the skill may be misrepresented or bundled with unrelated execution logic, which can mislead users about the trust boundary and cause them to enable a skill that does more than advertised.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
Calling the skill a 'framework' and warning about connecting it to a wallet with real funds conflicts with the claim that it only queries public APIs without authentication. Even if this is copied from another project rather than malicious, such contradictory safety messaging undermines user understanding and can conceal elevated capabilities or future misuse.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest and body conflict about whether the skill is unauthenticated and Polymarket-only versus requiring a SIMMER_API_KEY and Simmer API access. Security-sensitive documentation inconsistencies are dangerous because operators may install and run the skill with incorrect expectations about credential handling and external data flows.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Contradictory documentation about authentication and data sources can cause unsafe deployment decisions and poor review outcomes. In a skill ecosystem, this makes the package more dangerous because reviewers and users may approve or invoke it as low-risk public-data analysis when it actually relies on authenticated third-party access.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script’s behavior does not match the declared skill purpose. Instead of analyzing public Polymarket wallets without authentication, it accesses authenticated Simmer account portfolio data, which indicates deceptive capability drift and could trick users into supplying sensitive credentials for an unrelated service.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The module documentation explicitly describes a Simmer account status tool, directly contradicting the advertised Polymarket wallet x-ray skill. This inconsistency is dangerous because it can conceal unauthorized data access behavior and mislead reviewers or users about what the code actually does.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code requests a private SIMMER_API_KEY from the environment and uses it to access authenticated Simmer API endpoints, which is unjustified for a public, no-auth Polymarket analysis skill. In this context, credential collection is especially suspicious because it expands the skill’s access beyond its declared scope and could expose private financial account data.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code generates explicit copytrading and capital-allocation recommendations such as 'Safe to copytrade with 25-50% of capital,' which goes beyond descriptive wallet analytics into prescriptive financial advice. In a public-facing skill, this can mislead users into acting on unverified heuristics, creating legal/compliance risk and potential user financial harm if recommendations are poor or manipulated.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The recommendation text provides one-size-fits-all investment advice without accounting for jurisdiction, suitability, or regulatory context. In the context of a wallet-analysis skill, this makes the output more dangerous because users may treat the tool's scoring model as authoritative financial guidance despite limited data quality and simplistic heuristics.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.