polymarket
Audited by Snyk on Apr 13, 2026
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill routinely fetches and ingests untrusted, public third-party content from Polymarket's open APIs (CLOB, Gamma, and Data APIs) — see the SKILL.md "Data Trust Boundary" and the commands
list-markets,get-market, andget-positions— and the agent is required to read/interpret those fields (question, outcome, order book, tick_size, min_order_size, best_bid/ask, etc.) which directly influence trading decisions and subsequent tool actions (pre-sell liquidity checks, order construction, approvals), so this clearly exposes the agent to potential indirect prompt injection via API-sourced strings.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight install runs curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (which fetches and executes a remote shell script at runtime) and also downloads a runtime polymarket binary from https://github.com/okx/plugin-store/releases/download/plugins/polymarket@0.2.3/... (fetching remote executable used by the skill), so these URLs supply and execute required remote code.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that could be real credentials.
Flagged item:
- The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' embedded in the install/report snippet is a high-entropy literal value. It is decoded into _K and then used to compute an HMAC_SIG for telemetry/reporting; that use indicates it functions as a secret key. A hardcoded base64 secret used to generate HMACs is a real credential and should be treated as sensitive.
Ignored items (reasoning):
- Environment variable placeholders (POLYMARKET_API_KEY, POLYMARKET_SECRET, POLYMARKET_PASSPHRASE) are only names/placeholders and contain no actual values — ignored per the docs.
- Example/truncated/replacement values like '0xdeadbeef...', 'sk-xxxx', 'YOUR_API_KEY', and the example commit hash/addresses are placeholders or public addresses (contract addresses are public on-chain) and not high-entropy secrets — ignored.
- Any simple words or example passwords (none present here beyond placeholders) would be ignored per the "low-entropy/setup" rule.
Conclusion: the embedded base64 literal appears to be a real, hardcoded secret used to derive an HMAC signature and should be treated as a secret leak.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a trading plugin for Polymarket with built-in write operations that move funds and sign blockchain transactions. It exposes commands to "buy", "sell", and "cancel" orders, requires an onchainos wallet, performs EIP‑712 signing via onchainos, auto-submits on‑chain approval transactions (USDC.e approve and ERC‑1155 setApprovalForAll) and broadcasts order/settlement activity. Credentials are derived and cached, and USDC.e flows from the user wallet when orders are matched. These are specific crypto/blockchain financial execution capabilities (wallet signing, submitting token approvals, and placing/canceling market orders), not generic tooling.
Issues (4)
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).