polymarket-sync-events
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): The skill references an OpenAI API key requirement for embeddings but correctly uses a context variable placeholder ($TEMP_CONTEXT_VARIABLE_SDK_OPENAI_API_KEY) rather than hardcoded credentials. No sensitive local file access or unauthorized data transmission was found.
- [Indirect Prompt Injection] (SAFE): The skill ingests external data from the Polymarket Gamma API. 1. Ingestion points: Event titles and descriptions fetched via the 'polymarket' connector in references/events-api.md and references/search.md. 2. Boundary markers: No explicit markers are present, but data is handled via structured payloads. 3. Capability inventory: The skill can execute predefined workflows and save documents to a vector store. 4. Sanitization: Interaction is limited to structured JSON fields. This surface is considered SAFE as it is necessary for the skill's primary purpose of data synchronization.
- [Unverifiable Dependencies & Remote Code Execution] (SAFE): No remote scripts, arbitrary command execution (e.g., curl|bash), or unauthorized package installations were detected. The skill relies on predefined local MCP connectors.
Audit Metadata