Security audit

Super Polymarket Trade

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed Polymarket data and paper-trading helper that uses public market APIs and stores only local watchlist and simulated portfolio files.

Install only if you are comfortable with the skill making unauthenticated HTTPS requests to Polymarket's public Gamma API and storing your watched markets and simulated portfolio under ~/.polymarket/. It does not appear to handle credentials or make real trades, but review the external guide link and avoid adding real wallet or account secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation describes network access and local file storage, but the manifest declares no permissions despite requiring Python and invoking a script that performs HTTPS requests and writes to ~/.polymarket/. This creates a transparency and policy-enforcement gap: users or platforms may authorize the skill under the false assumption that it is read-only or capability-free, when it can access the network and persist local state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The top-level description frames the skill as market access and analysis, but the documented behavior also includes persistent watchlists, cron-oriented alerting, and a local paper-trading portfolio with transaction history. This mismatch is dangerous because it obscures stateful behavior and ongoing automation, which can surprise users, expand the skill's effective scope, and lead to unintended local data retention or repeated background execution.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill description presents read-only market access and analysis, but the implementation also creates persistent local state via JSON files under the user's home directory. This is a capability mismatch that can violate user expectations and trust boundaries, especially in agent environments where users may approve a skill expecting no local writes.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The code implements buy/sell paper-trading operations that materially extend behavior beyond the stated market-data and analysis purpose. Even though trades are simulated locally, these commands can mislead users and orchestration systems about the skill's scope, increasing the risk of unintended state changes and unsafe automation assumptions.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Watchlist and portfolio management are not necessary for basic market data retrieval, so their presence expands the skill's authority beyond its declared purpose. In an agent setting, unjustified persistence and stateful behavior increase attack surface and can enable silent accumulation of user behavioral data or unwanted filesystem modifications.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The script writes watchlist and portfolio data to the local filesystem without prominent runtime disclosure or consent messaging. While not an exploit by itself, this weak transparency can lead to privacy surprises and inappropriate use in contexts where users or platform policy expect read-only behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.