[SECURITY] polymarket-browse: Security Audit Tracking (2026-03-25) #3

New Issue

shoko · 2026-03-25T10:37:00+01:00

shoko commented

2026-03-25 10:37:00 +01:00

Meta: Security Audit Tracking Issue

This issue tracks all security findings from the polymarket-browse skill audit dated 2026-03-25.

Security Findings

#	Issue	Severity	Status
#4	Telegram bot token in process cmdline	CRITICAL	Open
#5	HTML injection in Telegram messages	HIGH	Open
#6	Insufficient --search URL encoding	MEDIUM	Open
#7	No bounds check on --detail	MEDIUM	Open
#8	Large API response can exhaust memory	MEDIUM	Open
#9	Bare except: swallows errors	LOW	Open
#10	No API rate limiting	LOW	Open

Reference

Full audit report: skills/polymarket-browse/reviews/2026-03-25.md

Immediate Actions

ROTATE bot token via @BotFather /revoke
Do not use --telegram on shared systems until Issue #4 is fixed

## Meta: Security Audit Tracking Issue This issue tracks all security findings from the polymarket-browse skill audit dated 2026-03-25. ## Security Findings | # | Issue | Severity | Status | |---|-------|----------|--------| | #4 | Telegram bot token in process cmdline | CRITICAL | Open | | #5 | HTML injection in Telegram messages | HIGH | Open | | #6 | Insufficient --search URL encoding | MEDIUM | Open | | #7 | No bounds check on --detail | MEDIUM | Open | | #8 | Large API response can exhaust memory | MEDIUM | Open | | #9 | Bare except: swallows errors | LOW | Open | | #10 | No API rate limiting | LOW | Open | ## Reference Full audit report: `skills/polymarket-browse/reviews/2026-03-25.md` ## Immediate Actions 1. **ROTATE bot token** via @BotFather `/revoke` 2. Do not use `--telegram` on shared systems until Issue #4 is fixed

shoko added the enhancement security labels 2026-03-25 10:40:33 +01:00

shoko closed this issue

2026-03-27 04:10:06 +01:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: shoko/jujutsu-skills#3