ClawHub

Kalshi Trader

Security checks across malware telemetry and agentic risk

Overview

This skill is openly a Kalshi trading bot, but it enables unattended real-money trading with stored credentials and limited explicit safety controls.

Install only if you intentionally want to grant unattended access to a real Kalshi account. Use a small limited balance, review and edit the cron prompt before enabling it, prefer a safer secret store or tightly permissioned keys, rotate or revoke the API key when done, and avoid scheduled live trading unless you accept the risk of automated losses or unintended orders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to write files containing API credentials and deploy executable bot code, while also making network calls to market/data sources, yet no permissions are declared. That mismatch can bypass expected user consent and safety controls, which is especially dangerous because the skill automates live financial trading with persistent credentials.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description includes broad trigger phrases like 'Use when a user wants to automate Kalshi trading' and related setup/reporting requests, which could cause the skill to be invoked for ordinary finance questions without a strong confirmation step. In a live-trading context, overbroad matching raises the chance of unintended activation of a bot that stores credentials, schedules jobs, and may place real trades.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises fully automated trading every 15 minutes and daily reporting, but does not prominently warn that it can place live orders with real financial consequences. In this context, missing risk disclosure is dangerous because users may enable autonomous execution without understanding loss potential, fees, market risk, or the operational risks of unattended trading.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt explicitly tells the agent where Kalshi API credentials are stored, which operationalizes access to sensitive authentication material during an automated cron run. In a trading bot context, exposing credential locations materially increases the chance an agent or downstream tool will read and use private keys without explicit user consent boundaries, enabling unauthorized trading or account compromise if the environment is shared or the prompt is repurposed.

Session Persistence

Medium
Category
Rogue Agent
Content
### 2. Store Kalshi credentials
```bash
mkdir -p ~/.kalshi && chmod 700 ~/.kalshi
nano ~/.kalshi/private_key.pem   # paste -----BEGIN RSA PRIVATE KEY----- block
chmod 600 ~/.kalshi/private_key.pem
echo "YOUR-API-KEY-ID-HERE" > ~/.kalshi/key_id.txt
Confidence
91% confidence
Finding
mkdir -p ~/.kalshi && chmod 700 ~/.kalshi nano ~/.kalshi/private_key.pem # paste -----BEGIN RSA PRIVATE KEY----- block chmod 600 ~/.kalshi/private_key.pem echo "YOUR-API-KEY-ID-HERE" > ~/.kalshi/key

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal