polymarket-agent

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The polymarket-agent skill is purpose-aligned and technically coherent: it aims to be an autonomous Polymarket trading assistant with data-from-market inputs, external news, and trading actions. Key risks include: reliance on an install script for setup, handling of POLYMARKET_KEY with insufficient explicit security constraints, data retention/privacy in memory, and the potential for autonomous trades without granular per-trade consent. To safely deploy, enforce strict consent, implement explicit per-trade prompts or hard autonomous-mode safeguards, and document secure memory handling and source verification. If these safeguards are in place, the footprint remains acceptable for an automated analysis/trading assistant. LLM verification: This SKILL is functionally coherent for an autonomous Polymarket trading assistant, but it contains multiple high-risk supply-chain and operational patterns: post-install download-and-execute instructions, installing and invoking a third-party CLI that will handle wallet credentials, allowing autonomous trade execution, and scheduling cron jobs for future actions. There is no explicit malicious payload in the provided text, but the combination of install-execute instructions and credential-beari