ClawHub

Kalshi F1 Constructor Trader

Security checks across malware telemetry and agentic risk

Overview

This trading skill is not obviously malicious, but it needs review because live mode can place real-money trades and its exit logic may sell broader F1 positions, not only positions it opened.

Install only if you intend to review and control a live financial trading script. Run dry-run first, use a dedicated low-value wallet/API setup, avoid --live unless you accept real buys and sells, and consider changing the exit logic to sell only positions tagged with this skill before using it with existing F1 positions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation declares environment-variable requirements, including sensitive credentials, but the manifest does not declare corresponding permissions. That mismatch can bypass user expectations and platform policy checks, making secret access less transparent in a trading skill that can control real funds.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The manifest says the skill requires only SIMMER_API_KEY, while the setup and credential sections also require SOLANA_PRIVATE_KEY for live trading. In a financial-trading context, inconsistent credential disclosure is dangerous because it can hide the need for a high-value private key until after installation or execution decisions are made.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest requests SOLANA_PRIVATE_KEY even though the skill is described as a Kalshi F1 trader and only declares simmer-sdk as a dependency. Requiring an unrelated blockchain private key creates unjustified exposure of a highly sensitive credential and suggests either hidden wallet functionality or poor credential hygiene, either of which materially increases risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A private key is among the most sensitive secrets a skill can request, and here it is not justified by the stated purpose of trading Kalshi markets. In this context, the mismatch is especially dangerous because users may provide a wallet key under false assumptions, enabling theft of on-chain assets or unauthorized signing if the runtime later accesses that secret.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata and docstring understate the operational risk by implying only an API key is needed, while the code also supports live trading and references use of a Solana private key. This mismatch can mislead users or automation into enabling a skill with real-money execution capabilities they did not expect, increasing the chance of unsafe deployment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The manifest requests a private key credential without any visible warning, rationale, or disclosure to the user. Even if not actively malicious, collecting a signing key without explicit notice undermines informed consent and makes accidental secret overexposure much more likely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
When invoked with `--live`, the skill immediately executes trades without an additional confirmation, review screen, or interlock. In an agent or automation context, a misconfiguration, prompt injection into orchestration, or accidental flag usage could therefore trigger real-money orders directly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The exit path can automatically sell existing positions during live runs based solely on price thresholds, again with no explicit confirmation step. That makes unintended liquidation possible if the strategy is launched in live mode by mistake or by an upstream automation error.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal