Is adlai88/polymarket-ai-divergence safe?

https://github.com/openclaw/skills/tree/main/skills/adlai88/polymarket-ai-divergence

79
CAUTION

The polymarket-ai-divergence skill is a legitimate Polymarket trading signal tool with clean Python source code and no prompt injection, hidden instructions, or direct credential theft. The primary risk surface is the unverified simmer-sdk pip dependency, which executes with user privileges on every invocation and cannot be audited from the skill repo alone; a compromised package version could exfiltrate credentials or environment variables. Secondary concerns include an overridable SIMMER_API_URL in status.py that could redirect API key bearer tokens, and the inherent financial-influence risk of presenting AI trading signals as actionable BUY/SELL guidance. Canary files were read during monitoring but access is attributed to the oathe framework's own baseline and post-install scans, not the skill code.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (7)

HIGH Unverified third-party pip dependency: simmer-sdk -28

The skill requires installation of simmer-sdk via pip. This package is not bundled in the repo and its contents are not auditable from the skill files. A malicious or compromised version of simmer-sdk could read environment variables (including .env contents, AWS credentials, SSH keys if loaded into env), exfiltrate data, or execute arbitrary commands at runtime with the invoking user's privileges.

MEDIUM SIMMER_API_KEY transmitted to third-party external API -10

The skill reads SIMMER_API_KEY from the user's environment and sends it as a Bearer token to https://api.simmer.markets on every execution. This is disclosed behavior but means the API key — and by extension the user's Simmer account — is accessible to the Simmer backend. If the Simmer service is compromised or the SDK is tampered with, the key could be captured.

MEDIUM SIMMER_API_URL env override enables API key redirection -8

status.py reads SIMMER_API_URL from the environment with no validation. If an attacker can set this env var (e.g., via another compromised skill, a prompt injection in a prior conversation turn, or a malicious config.json), they can redirect the Authorization: Bearer header to an arbitrary endpoint, silently exfiltrating the user's SIMMER_API_KEY.

LOW Financial trading signals from unverified third-party AI -15

The skill's core purpose is to surface AI-generated trading signals (BUY YES / BUY NO) based on Simmer's proprietary AI pricing. The signals are presented authoritatively with action verbs. If Simmer's AI is biased, wrong, or deliberately manipulated for market-moving purposes, users following the skill's recommendations could suffer financial losses. Combined with a trading automation skill, this risk escalates significantly.

LOW Persistent config write via --set flag -8

ai_divergence.py implements a --set flag that writes arbitrary key-value pairs to config.json in the skill directory. While scoped to CONFIG_SCHEMA keys, the update_config function writes JSON to disk on every --set invocation. This is a persistent side effect that survives agent restarts.

INFO Canary files read during monitoring — attributed to oathe framework 0

Filesystem monitoring recorded OPEN+ACCESS events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at timestamps 1771648765.322 (before git clone) and 1771648787.824 (after install, during oathe post-install scan). Review of auditd EXECVE context places both access batches within the oathe monitoring framework's own processes (sudo/auditctl setup and post-install verification), not within any skill code. Canary integrity check confirms all files unmodified and no content exfiltration detected.

INFO Clean install — GitHub HTTPS only 0

The entire install process made only a single external TCP connection to 140.82.121.3:443 (github.com). No unexpected DNS lookups, no non-GitHub destinations, no new listening ports, no persistent processes. The filesystem diff shows only the four expected skill files written to /home/oc-exec/skill-under-test/.