ClawHub

Kalshi Eth Staking Yield Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Kalshi trading automation that can use real trading credentials, but its high-risk behavior is aligned with its stated purpose and defaults to dry run.

Install only if you understand this is a financial trading bot. Test dry-run mode first, use a dedicated low-balance Solana wallet and limited Simmer credentials for live trading, review simmer-sdk before trusting it, and double-check tunables such as max position, max trades per run, and slippage before using --live.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly requires environment-provided secrets such as SIMMER_API_KEY and, for live mode, SOLANA_PRIVATE_KEY, yet the manifest does not declare corresponding permissions. That creates a transparency and governance gap: users or platforms may approve/install the skill without understanding that it reads high-value credentials used for trading authority.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared behavior understates what the skill can actually do: it can place NO trades, liquidate/exist positions, discover/import markets, and perform live trading with an additional private key. In a trading skill, this mismatch is security-relevant because operators may grant credentials or enable execution based on an incomplete understanding of the actions the agent may take with real funds.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The manifest says the skill requires SIMMER_API_KEY, but later documentation says SOLANA_PRIVATE_KEY is also required for live trading. A hidden or inconsistently declared private-key requirement is dangerous in this context because users may expose a wallet-signing secret without that requirement being surfaced in the formal metadata and review path.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The manifest requests SOLANA_PRIVATE_KEY even though the skill description only mentions Kalshi/ETH trading via Simmer. Requiring an unrelated blockchain private key expands the trust boundary and could expose highly sensitive wallet credentials to code that users would not reasonably expect to need them.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documented context says the skill requires only SIMMER_API_KEY, but the manifest also silently requires SOLANA_PRIVATE_KEY. This mismatch is dangerous because it can trick users into providing a private key under false assumptions, undermining informed consent and making secret exfiltration or unauthorized wallet use harder to notice.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill description says it buys underpriced YES positions, but the implementation also opens NO positions when the computed edge is negative and later sells existing positions on exit. This is a capability mismatch that can cause operators or automation to authorize behavior they did not intend, especially in live trading where inverse exposure and active exits materially change risk.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The header presents this as a Kalshi trader, but the live-trading instructions also require Solana/DFlow credentials and routing, which expands the trust boundary and execution path beyond what a user may expect. Misstating where and how trades are routed can lead users to provide additional credentials or approve a different settlement environment than the one advertised.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
A private key environment variable is requested without any user-facing warning, which is especially risky because private keys are typically full-control credentials for financial assets. In a trading skill context, undisclosed access to such a secret materially increases the danger of fund theft, unauthorized signing, or cross-system credential abuse if the runtime or code is compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Passing --live immediately enables real trading with no interactive confirmation, preview, or secondary safeguard. In a script that can discover markets and place orders automatically, a typo, copied command, or automation misconfiguration can trigger unintended live trades and financial loss.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal