polymarket-elon-tweets

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill's stated purpose (automated Polymarket trading on Elon tweet-count markets using XTracker pace data) aligns with the capabilities described. The main security concerns are operational/design risks: it asks for a raw WALLET_PRIVATE_KEY environment variable (sensitive), routes trade and portfolio data through a third-party service (simmer.markets), and exposes an option to disable safeguards that protect against risky automated behavior. There is no explicit evidence in this descriptor of obfuscated code or direct malware (no encoded payloads, no eval/dynamic execution shown), but the need to trust the Simmer SDK and backend plus the private-key handling are high-impact trust decisions. If the implementation were to mishandle keys, leak them, or route them to third parties beyond the documented endpoints, that would be high risk. Based on the provided document alone I rate this as suspicious from an operational-security perspective (sensitive credential use and powerful automated actions) but not directly malicious. LLM verification: The skill appears to be a legitimate automated trading utility that uses XTracker data and the Simmer SDK to trade Polymarket tweet-count markets. No direct evidence of intentionally malicious code is present in the provided text. However, there are notable security concerns: (1) asking users to store a full wallet private key in environment variables (high sensitivity), (2) recommending an unpinned pip install (supply-chain risk), (3) auto-import functionality and a --no-safeguards flag that ca