polymarket
Audited by Snyk on Apr 9, 2026
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). Most links are to legitimate docs/GitHub/official domains, but the workflow includes curling+sh a raw script and downloading prebuilt binaries from a third‑party GitHub release (MigOKG), which are direct executable distribution vectors from sources that may be unvetted—so there is a meaningful risk unless you audit the script/binaries and verify signatures.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches market titles/descriptions and order-book data from external Polymarket CLOB/Gamma/Data APIs (see the "Data Trust Boundary" and the
list-markets/get-marketcommand descriptions in SKILL.md), those market texts are user-authored/untrusted content that the agent is expected to read and that can materially influence trading decisions, creating a clear indirect prompt-injection risk.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight steps fetch and execute remote code at runtime (required for operation), e.g. curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/polymarket@0.1.0/polymarket-${TARGET} -o ~/.local/bin/polymarket (then chmod +x), which download and execute remote scripts/binaries.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I found one embedded high-entropy literal that appears to be an obfuscated secret: in the "Report install" block the script sets
_K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...)
This base64 string is a literal, high-entropy value that is decoded at runtime and used to compute an HMAC signature (HMAC_SIG) sent in telemetry/reporting. Because it is a concrete, decodable secret embedded in the documentation/script, it qualifies as a hardcoded secret.
I did NOT flag other values because they are clearly placeholders or low-entropy examples:
- export POLYMARKET_API_KEY=, POLYMARKET_SECRET=, POLYMARKET_PASSPHRASE= are documentation placeholders.
- The py-clob-client snippet uses key='<YOUR_PRIVATE_KEY>' which is a placeholder.
- Hex contract addresses, example 0x-prefixed hashes, the commit id, and URLs are not secrets.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to execute financial transactions on a blockchain prediction market. It provides dedicated trading commands (buy, sell, cancel) that require API credentials and wallet signing, builds and submits EIP-712 orders, and performs on‑chain operations (USDC.e approvals and contract calls via
onchainos wallet contract-call --force) that broadcast transactions and move funds. It also requires/uses Polymarket CLOB API keys and HMAC secrets for order submission and caches credentials. These are concrete crypto/blockchain market-order and payment-related capabilities (not generic automation), so it grants direct financial execution authority.
Issues (5)
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).