polymarket-copytrading

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill fetches and acts on public, user-generated market and wallet data (e.g., via the Simmer API endpoints like POST /api/sdk/copytrading/execute and GET /api/sdk/positions in copytrading_trader.py and scripts/status.py, and references public leaderboards such as predicting.top/Polymarket) which the agent consumes to plan and execute trades, so untrusted third-party content can materially influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls the Simmer API at runtime (https://api.simmer.markets) to fetch a server-generated trade plan which the client then executes, so remote content from that URL directly controls the agent's actions (trades).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built to execute market orders on Polymarket via the Simmer SDK/API. It includes commands and flags to perform real trades (--live, --rebalance, --whale-exits), describes execution steps ("9. Executes trades via Simmer SDK (respects spending limits)"), exposes API endpoints (https://api.simmer.markets, /api/sdk/portfolio, /api/sdk/positions), and requires a WALLET_PRIVATE_KEY for signing orders. It also documents handling of USDC/USDC.e and real-money constraints (minimums, balances). These are direct crypto/market execution capabilities (sending transactions, signing with a private key, buying/selling positions), not generic tools — therefore this grants Direct Financial Execution Authority.