polymarket

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires taking signing-derived credentials (e.g., the 0xSIG signature returned by wallet_sign_typed_data) and embedding them verbatim into subsequent bash commands (post_order.py / auth.py --save), which forces the agent to handle and output sensitive credential values.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill programmatically fetches public, user-generated Polymarket content (titles, descriptions, markets, outcomes, orderbooks and prices) from third-party endpoints such as GAMMA (gamma-api.polymarket.com) and DATA_API (data-api.polymarket.com) — e.g., scripts/search.py, tools/market_data.py, and scripts/prepare_order.py — and the agent reads and acts on that content to select markets and build/post orders, so untrusted content can materially influence actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform crypto financial operations on Polymarket: it prepares, signs (EIP‑712 via wallet_sign_typed_data), and submits market orders (place order / post_order.py), manages positions (close_positions builds and signs sell orders), cancels orders, and inspects balances (USDC.e on Polygon). These are concrete transaction-creating steps (prepare → sign → submit) using a wallet signer; the primary purpose is to move funds / execute trades, not a generic tool. Therefore it meets the "Direct Financial Execution" criteria.