polybaskets-skills
Pass
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
vara-walletCLI and standard shell utilities (curl,jq,node) to interact with the Vara Network blockchain. These commands are used for wallet creation, querying on-chain state, and executing transactions like token claims and placing bets. - [EXTERNAL_DOWNLOADS]: The skill interacts with external APIs including
gamma-api.polymarket.comfor market data and two project-specific backends hosted onup.railway.appfor gas vouchers and signed price quotes. These interactions are required for the protocol's functionality (sponsoring gas and preventing price manipulation). - [REMOTE_CODE_EXECUTION]: The skill documentation instructs the installation of the
vara-walletCLI and other related skill packs. There is no detection of malicious remote script execution (e.g.,curl | bash) within the skill's own instructions. - [DATA_EXFILTRATION]: The agent's public wallet address is transmitted to the voucher and quote backend services. This is a standard requirement for these services to authorize gas sponsorship and sign user-specific quotes, and does not represent an exfiltration of sensitive credentials or private keys.
Audit Metadata