polymarket-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill explicitly shows and endorses passing private keys as command-line flags and storing them verbatim in config files (e.g., --private-key 0xabc..., "private_key": "0x..."), which can require the LLM to include secret values verbatim in generated commands or files.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly queries public Polymarket backends (Gamma API, CLOB API, Polygon RPC) and its required workflow (SKILL.md and references/commands-browsing.md) includes fetching user-generated content such as "comments list" and public profiles which the agent would read and could materially influence trading/actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill contains installation commands that fetch and execute remote code at runtime—specifically curl -sSL https://raw.githubusercontent.com/Polymarket/polymarket-cli/main/install.sh | sh and git clone https://github.com/Polymarket/polymarket-cli (followed by cargo install) — which would run remote code and are used to install/run the CLI.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for crypto financial operations. It provides wallet creation/import and private-key resolution, signature types (EOA, gnosis-safe, proxy), and instructions for storing/using private keys. It exposes commands to place and manage orders (clob create-order, clob market-order, clob cancel, clob cancel-all), check balances/trades, manage on-chain CTF operations (split/merge/redeem), contract approvals, and bridging. It also references Polygon RPC endpoints and gas requirements. These are direct capabilities to sign and send transactions and execute market orders on-chain/off-chain, not generic tooling—therefore it grants direct financial execution authority.