polymarket

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and act on public Polymarket content (e.g., Gamma API endpoints like /events, /markets and /comments, the RTDS comments WebSocket, and the external llms.txt index), which are open, user-generated/public sources that the agent is expected to read and that can materially influence trading actions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs agents to "Always consult llms.txt" at runtime (https://docs.polymarket.com/llms.txt), which the agent would fetch and use as the authoritative machine-readable index guiding which endpoints/docs to load—i.e., external content that can directly control the agent's instructions and behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. The skill is explicitly for trading and moving on-chain funds: it includes authenticated trading endpoints (POST /order, POST /orders, cancel endpoints), bridge deposit/withdraw endpoints, CTF on-chain operations (split/merge/redeem converting USDCe and outcome tokens), and L1/L2 authentication that requires signing with private keys or API secrets. Example SDK calls show creating API credentials and placing orders, and the docs discuss allowances, funder addresses, and withdrawals — all clear, specific capabilities to execute financial transactions.