Skillv1.0.0

ClawScan security

Fuku Predictions · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 12:15 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (conversational Kalshi trading) but contains inconsistencies and external-network behavior that merit manual review before use.
Guidance: Before installing or providing credentials: - Do not place your Kalshi RSA private key into .env until you inspect kalshi_client.py to verify it only signs requests locally and never sends the raw private key to external services. If you are not comfortable reading code, ask a developer you trust to audit kalshi_client.py and any network code. - Investigate the external predictions host (fuku_api_base = https://cbb-predictions-api-nzpk.onrender.com). Determine who runs it and what data you will send to it (player/game queries, your profile, or account info). If the skill sends trade intent or account identifiers to that service, your model/strategy and possibly account activity could be exposed. - The registry metadata claims no env vars but the skill requires Kalshi credentials; treat that as a red flag for sloppy packaging. Prefer a skill that declares required credentials formally in metadata. - Start in dry_run mode and keep auto_trade disabled. Test the skill locally without real money, monitor network calls (e.g., with a transparent proxy like mitmproxy if you can) and confirm no unexpected outbound requests carry secrets. - The code spawns subprocesses with a hardcoded 'arch -arm64' wrapper; test on your host in a safe environment to ensure it behaves as expected. This is odd but not necessarily malicious. - If you cannot or will not perform the checks above, avoid supplying the Kalshi private key and avoid enabling 'auto' mode. Treat this skill as untrusted until audited.

Review Dimensions

Purpose & Capability: noteName/description match the code: the package is an autopilot/trading suite for Kalshi using a Fuku sports model. However the registry metadata declares no required credentials while SKILL.md and the code expect a Kalshi API key (RSA private key + id) in a local .env — that mismatch is a coherence issue. Also config points to a third-party predictions endpoint (fuku_api_base on onrender.com) which is not explained in the public description; it's plausible for a model-backed skill but should be documented and justified.
Instruction Scope: concernSKILL.md instructs to store Kalshi credentials locally and claims 'API key stored locally — never transmitted externally.' The codebase references an external predictions API (fuku_api_base) and performs network calls and subprocess execution (e.g., launching autopilot.py). Those external requests could receive request metadata or parameters — the README claim that keys never leave the machine is not verifiable without auditing kalshi_client.py and network calls. agent_interface.py spawns subprocesses using a hardcoded command ('arch -arm64 python3 autopilot.py'), which is unexpected and may fail or behave differently on non-arm64 hosts.
Install Mechanism: noteThere is no install spec in the registry (instruction-only), which limits automatic system changes. SKILL.md suggests pip installing httpx, cryptography, python-dotenv — a reasonable minimal dependency set for HTTP requests and local secret handling. Because code files are bundled, the skill will execute arbitrary Python code when invoked; that is normal for this type of skill but increases the need for code review.
Credentials: concernThe registry lists no required env vars or primary credential, but SKILL.md asks the user to create a .env containing KALSHI_API_KEY_ID and KALSHI_PRIVATE_KEY (private RSA key). That is a clear mismatch. The private key is powerful: it allows API calls and signing for your Kalshi account; you should only provide it if you trust the code. The skill claims keys 'never transmitted externally,' but the presence of a third-party predictions API and networked components means you must audit the code to confirm the private key is only used locally to sign requests to Kalshi and never sent elsewhere.
Persistence & Privilege: notealways:false (no forced always-on) and autonomous invocation is allowed (default). The skill can run 'auto' trading mode that places real trades; combined with access to your Kalshi credentials this is powerful. This is not an immediate disqualifier, but you should restrict autonomous/auto modes until you verify behavior. The skill writes local files (trades.json, optional KILL_SWITCH file) which is expected for a trading agent and is limited to its directory.