Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
kalshi api
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent read-only Kalshi market-data CLI; the only notable behavior is user-directed GET requests to Kalshi or a configured base URL.
This skill looks safe for read-only Kalshi market discovery. Before installing, verify that KALSHI_BASE_URL is unset or points to a trusted Kalshi-compatible endpoint, and remember that any separate paper-trading or execution skill should be reviewed independently.
Static analysis
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Market tickers, filters, and other query parameters entered into the commands are sent to Kalshi or to whatever base URL the user configured.
Why it was flagged
The CLI sends user-requested GET requests to a configurable API base URL. This is disclosed and aligned with read-only Kalshi market lookup, but the destination should remain trusted.
Skill content
const BASE_URL = process.env.KALSHI_BASE_URL || "https://api.elections.kalshi.com/trade-api/v2"; ... await fetch(url, { method: "GET",Recommendation
Use the default Kalshi URL or a trusted override only, and review any separate paper-trading skill before using it for execution.