ClawHub

Kalshi Eth Btc Beta Trader

Security checks across malware telemetry and agentic risk

Overview

This is a real-money trading skill with sensitive credentials, but its live-trading behavior is disclosed, dry-run is the default, and no hidden or unrelated behavior was found.

Install only if you intend to evaluate or run an automated trading tool. Keep it in dry-run first, review or pin simmer-sdk before live use, use a dedicated low-balance Solana wallet, set conservative trade limits, and do not enable --live or scheduling unless you accept the risk of real financial loss.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill description understates what the skill does and what credentials it needs, especially by omitting `SOLANA_PRIVATE_KEY` from the top-level description while later requiring it for live trading. In a trading skill, this is dangerous because users may install or trust the skill under an incomplete risk model, exposing high-value credentials and enabling broader market actions, position management, and persistent configuration changes than initially advertised.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation gives conflicting statements about required credentials, first saying only `SIMMER_API_KEY` is required, then later stating both `SIMMER_API_KEY` and `SOLANA_PRIVATE_KEY` are required. This inconsistency can cause unsafe operator behavior, including supplying unexpected private keys to a skill they believed needed only an API token, which is especially risky in a financial trading context.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest requests SOLANA_PRIVATE_KEY even though the stated skill purpose is Kalshi ETH/BTC beta trading and already lists SIMMER_API_KEY as the relevant credential. An unnecessary private key request expands the skill's access to highly sensitive wallet material and creates a credible path for unauthorized blockchain transactions or secret exfiltration if the entrypoint code uses it.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A raw Solana private key is an unjustified capability for the described Kalshi trading strategy, so its presence is a strong indicator of overprivileged secret access. In this context, the mismatch makes the skill more dangerous because there is no user-visible functional reason to normalize exposure of a wallet private key to the skill runtime.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest declares access to a highly sensitive credential without any user-facing warning, justification, or handling notice. This reduces informed consent and increases the likelihood that operators will provide a wallet private key to a skill whose advertised purpose does not suggest such access, making accidental exposure more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When run with --live, the skill can submit real buy orders immediately with no interactive confirmation, preview, or second-factor gating. In an automated trading context this increases the risk of unintended irreversible trades from operator error, bad parameters, or strategy/model mistakes.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal