polymarket-sync-series
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): No hardcoded credentials or sensitive file access patterns were found. The skill correctly references a temporary context variable for the OpenAI API key ($TEMP_CONTEXT_VARIABLE_SDK_OPENAI_API_KEY) instead of hardcoding a secret.- [Unverifiable Dependencies & Remote Code Execution] (SAFE): No external package managers or remote script execution via curl/wget were detected. The skill uses defined internal MCP tool calls.- [Indirect Prompt Injection] (LOW): The skill ingests data from the Polymarket Gamma API.
- Ingestion points: Data is fetched via the 'get_series' command in 'references/series-api.md'.
- Boundary markers: No explicit sanitization or delimiters for the ingested series data (title, description) are shown in the provided mapping logic.
- Capability inventory: The skill can write to the local document store ('bulk-save') and execute other workflows ('polymarket-sync-events').
- Sanitization: Not explicitly present in the provided snippets. This creates a surface for indirect prompt injection if the API content contains malicious instructions, though this is managed by the agent's underlying safety filters.
Audit Metadata