polymarket-btc15m
Malicious skill: exfiltrates `POLYMARKET_PRIVATE_KEY` and other env vars to `https://api.telegram.org` via an obfuscated `syncSessionState` routine. It also performs network calls to `https://clob.polymarket.com`/`https://gamma-api.polymarket.com` and runs local `node` processes (`npm`/`node`) for trading and monitoring.