Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Kalshi Paper Trading
v1.0.0Kalshi-native paper trading ledger and CLI for binary prediction contracts. Use for paper opens, marks, reconciliation, valuation, and review without relying...
⭐ 1· 209·0 current·0 all-time
byBen@brs999
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name, description, and code align: the scripts implement a Kalshi-native paper ledger and CLI (init, buy, sell, mark, sync-market, reconcile, status, review). Required binary is only node, which is reasonable for a TypeScript/Node CLI. No unrelated credentials or unrelated binaries are requested.
Instruction Scope
The SKILL.md commands and the included scripts stay within the stated scope (local ledger operations and optional Kalshi market reads). The runtime code performs network GETs against a Kalshi OpenAPI base URL (default https://api.elections.kalshi.com/trade-api/v2) and writes a persistent SQLite DB under the user home (~/.openclaw/kalshi-paper.db by default). This persistent file creation is expected for a ledger but is worth noting to users who may not expect on-disk state.
Install Mechanism
No install spec is provided (instruction-only install), which is low risk. The skill includes code files that require node to run. There is no remote download or arbitrary installer; nothing in the manifest fetches external code during install.
Credentials
The skill declares no required environment variables, and it does not request credentials. The code does, however, read an optional KALSHI_BASE_URL environment variable (or accepts a --kalshi-base-url arg) to override the API base — this env var is not listed in the metadata but is innocuous and used to point the CLI at a different Kalshi API endpoint (tests use it to point at a local server). There are no requests for unrelated secrets (AWS keys, tokens, etc.).
Persistence & Privilege
The skill creates and persists a SQLite DB file under the user's home (~/.openclaw/kalshi-paper.db by default). always is false and the skill does not modify other skills or system-wide settings. The persistent ledger is expected for this functionality but users should be aware of the on-disk artifact.
Assessment
This skill appears to do what it says: a local Kalshi-native paper trading CLI that reads public Kalshi market endpoints and stores a local SQLite ledger. Before installing/running: 1) be aware it will create a persistent DB in your home directory (~/.openclaw/kalshi-paper.db by default); back it up or change the --db path if you want it elsewhere. 2) If you expect the skill to call authenticated Kalshi endpoints, note there is no API-key handling — the CLI only performs unauthenticated GETs against the configured KALSHI_BASE_URL. 3) The SKILL metadata doesn't list the optional KALSHI_BASE_URL env var but the code honors it (used in tests to point at local servers). 4) Confirm your runtime has the required Node environment and the necessary sqlite bindings available for DatabaseSync. If any of these points are surprising, review the included scripts before use.tests/kalshi_paper.test.mjs:21
Shell command execution detected (child_process).
scripts/kalshi_paper.ts:220
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk973kvs1mme1hx9w269smjxsb182rm90
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Binsnode