ClawHub

Fuku Predictions

Security checks across malware telemetry and agentic risk

Overview

This skill is a real-money Kalshi trading tool with disclosed purpose, but it can store credentials, place live trades without per-trade approval, and install scheduled automation.

Install only if you intend to let a local agent interact with a real Kalshi account. Use dry-run or approval mode first, avoid the no-flag executor and cron full-auto option unless you deliberately want unattended live trading, protect and exclude the .env file from sync or commits, and assume balances, profiles, orders, and trade history may be shown in chat output or written to local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes capabilities to read environment secrets, write local files, access the network, and invoke shell commands, yet no explicit permission model is declared. In a trading skill that handles API credentials and can place orders, hidden or overly broad capabilities materially increase the risk of credential exposure, unauthorized automation, and destructive local actions if the skill is invoked in an unexpected context.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented behavior goes beyond the stated conversational trading purpose into credential collection, persistent portfolio/order tracking, automation setup, and autonomous execution. That mismatch undermines informed consent: users may enable the skill expecting advisory behavior while it also supports background trading workflows and broader account interaction.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The browser command fetches and prints the user's Kalshi account balance even though the file's stated purpose is market browsing and model/edge display. This unnecessarily exposes sensitive financial information to whatever agent, chat surface, logs, or downstream system invokes the script, increasing privacy and data-leak risk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The setup script goes beyond conversational trading/profile configuration and can install persistent host-level cron jobs that repeatedly execute trading code. In an agent-skill context, persistence and unattended execution materially increase risk because they can cause ongoing actions on the user's machine and account after initial setup.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The script tells users their API keys are 'never transmitted externally,' but it immediately offers a connection test that uses those credentials to authenticate to the remote Kalshi API. That misleading claim can cause users to underestimate exposure and trust the skill with highly sensitive trading credentials under false assumptions.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill explicitly advertises hands-free autonomous trading but does not present an equally explicit warning about real-money financial risk, possible losses, and the fact that the agent may place trades without per-trade review in auto mode. In this context, insufficient warning is especially dangerous because the capability can directly affect a user's funds and operate at machine speed or on a schedule.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup instructions tell users to place a private RSA key in a local .env file without cautionary guidance about file permissions, secret handling, rotation, or avoiding accidental commits/logging. Because the skill also uses file and shell capabilities, poor secret hygiene increases the chance of local leakage or unintended exposure of trading credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This document provides detailed automated real-money trading strategies, bankroll sizing, and auto-trade configuration before clearly foregrounding the financial risks of autonomous execution. In a skill explicitly designed to scan markets and place or exit Kalshi trades, burying the warning at the end can lead users to enable risky automation without understanding drawdowns, loss potential, or the need for human approval safeguards.

Missing User Warnings

High
Confidence
98% confidence
Finding
In --auto mode, the script places real Kalshi orders immediately for each scored opportunity without any interactive confirmation or a just-in-time user warning. Because this skill is explicitly designed for autonomous trading and can be run from cron, a misconfigured profile, bad model output, or prompt-triggered workflow could cause real financial transactions without the user affirmatively approving each trade at execution time.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script persistently appends detailed trade records to trades.json, including timestamps, markets, positions, prices, and errors, without any disclosure or consent at the write site. In a local agent environment, this creates a durable record of sensitive financial activity that could be exposed to other tools, users, backups, or later prompts, increasing privacy and security risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script accesses account balance data without any user-facing disclosure, confirmation, or indication that browsing markets will touch account-specific information. In an agent setting, that means a simple request for market information can silently trigger access to sensitive account data and surface it back to the user or into logs.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The executor performs real trade placement by default when invoked with no safety flag, which creates a dangerous fail-open workflow for a financial automation tool. In this skill context, the capability is inherently high risk because it can spend real funds and place market orders through stored API credentials, so accidental invocation or misuse can directly cause financial loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup stores the API key ID and private key directly in a local `.env` file without setting restrictive permissions or warning that the file contains plaintext secrets. On multi-user systems, in backups, or if the project directory is later synced or committed, those credentials could be exposed and abused to trade or access account data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal