Polymarket Auto-Trader

Security checks across malware telemetry and agentic risk

Overview

This skill is transparently aimed at autonomous Polymarket trading, but it gives agents persistent, private-key-backed authority to approve contracts and place real trades with weak safety boundaries.

Only install this after careful review with a dedicated low-balance wallet, revoked or tightly bounded approvals, explicit spend limits, and a clear way to stop the cron job. Do not use a primary wallet or paste private keys into prompts or logs, and verify Polymarket access is legal and permitted in your jurisdiction.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill declares no permissions while clearly requiring sensitive capabilities: environment secret access, file reads/writes, and network access to trading and LLM services. This mismatch undermines least-privilege controls and can cause the platform or user to invoke a high-risk autonomous trading skill without understanding that it can read keys, persist data, and place external requests.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The invocation description is broad enough to match generic requests like 'build a trading bot' or 'set up automated trading,' which could auto-select this Polymarket skill in contexts the user did not intend. Because this skill is capable of autonomous trading and handling private keys, over-broad routing increases the chance of accidental activation of a financially dangerous workflow.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document explicitly instructs users to grant unlimited token approvals (`approve(MAX_UINT256)` and `setApprovalForAll(true)`) to multiple spender contracts without any warning about the custody risk. In an autonomous trading bot context, this is more dangerous because users may follow setup instructions mechanically, and any compromised, upgraded, or misaddressed spender could drain approved assets far beyond the intended trade amount.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation instructs users to derive API credentials directly from a wallet private key but does not warn that this key is highly sensitive and effectively controls funds. In the context of an autonomous trading skill, normalizing direct private-key handling increases the chance that downstream agents, developers, or users will expose the key in code, logs, prompts, or insecure storage, leading to account compromise and loss of assets.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The examples show live order placement and cancellation calls without any warning that these actions can execute real trades, incur fees, and create irreversible financial exposure. Because this skill is specifically an autonomous Polymarket trading agent, omission of safety guidance is more dangerous: users may copy examples into production or let an agent invoke them without dry-run controls, spending real funds unexpectedly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script immediately loads a private key from the environment and uses it to sign and broadcast real Polygon transactions without any interactive confirmation, dry-run mode, or explicit warning about the irreversible nature of token approvals. In an autonomous trading skill context, this is more dangerous because users may run setup scripts as part of onboarding and unintentionally authorize spenders on-chain without understanding the consequences.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script grants MAX_UINT ERC20 approval and broad ERC1155 operator approvals to multiple contracts, which gives those contracts effectively unrestricted ability to move assets covered by the approvals. If any approved contract is compromised, upgraded maliciously, incorrectly configured, or if the addresses are wrong, funds can be drained without further user action.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script directly places live Polymarket orders and appends trade records without any runtime confirmation, dry-run default, or explicit safety interlock at the execution point. In an agent-skill context, this is dangerous because simply invoking the skill can cause irreversible financial transactions using the loaded private key, increasing the risk of accidental or unauthorized trading.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The code loads a blockchain private key and LLM API key for immediate operational use, but the script provides no inline disclosure or consent boundary around that sensitive capability. In this skill context, credential-backed autonomous trading is especially risky because the presence of these secrets enables both external API usage and direct asset movement if the script is run inadvertently.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The script explicitly instructs users to deploy on a non-US VPS, which appears designed to route operation through a specific foreign jurisdiction rather than documenting a technical requirement. In the context of an autonomous trading bot for Polymarket, this increases legal/compliance risk and suggests geo-restriction evasion, which is dangerous because it encourages users to bypass platform or regulatory controls.

Session Persistence

Medium

Category: Rogue Agent
Content: ### 5. Cron Automation ```bash crontab -e # Add: */10 * * * * cd /opt/trader/app && /opt/trader/bin/python3 run_trade.py >> cron.log 2>&1 ```
Confidence: 93% confidence
Finding: crontab -e

Session Persistence

Medium

Category: Rogue Agent
Content: echo "3. Copy trading scripts to /opt/trader/app/" echo "" echo "4. Set up cron:" echo " crontab -e" echo " */10 * * * * cd /opt/trader/app && /opt/trader/bin/python3 run_trade.py >> cron.log 2>&1"
Confidence: 90% confidence
Finding: crontab -e

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal