Security audit

Polymarket Politics Random Buyer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Polymarket trading skill, but it asks for wallet-control credentials and includes under-disclosed recurring automation and redemption behavior.

Review before installing. Use a dedicated low-balance wallet, start only in dry-run, avoid providing a private key unless you trust the runtime and dependencies, understand or disable the managed cron behavior, and do not use --live or --auto-redeem without confirming the exact account actions and spending limits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill explicitly requires sensitive environment-provided secrets such as `AION_API_KEY`/`AIONMARKET_API_KEY` and `WALLET_PRIVATE_KEY`, yet the metadata shown in `SKILL.md` declares no permissions. This creates a real security and transparency gap: operators and platforms cannot accurately assess that the skill handles high-value credentials and can place live trades, increasing the chance of unsafe execution or accidental secret exposure.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill exposes an `--auto-redeem` path that performs an additional wallet-side effect (`client.auto_redeem()`) outside the core advertised flow of selecting a market and buying. Because this action runs before trade execution and without a dedicated confirmation or clear warning, a user invoking the skill can unintentionally trigger asset/account state changes beyond the expected random-buy behavior.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Adding an `--auto-redeem` capability to a random politics market buyer is unrelated to the stated purpose and increases the attack surface for unintended live wallet operations. In this context, the mismatch between advertised behavior and implemented capability makes the feature more dangerous because users may not anticipate that running a buying skill can also redeem positions.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill is configured to auto-run every 30 minutes while holding both an API key and a wallet private key, and the description indicates it can place live trades. That broad unattended schedule increases the chance of repeated unauthorized, unintended, or policy-violating political trades if the skill is misconfigured, triggered in the wrong environment, or switched from dry-run to live mode without adequate gating.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: `client.auto_redeem()` is executed whenever `--auto-redeem` is provided, with no user-facing confirmation, preview, or dry-run guard. This means a single invocation can cause a live account action even if the user primarily intended only to scan or optionally buy a market, making accidental wallet operations plausible.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal