Security audit

Kalshi F1 Elimination Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed trading template, but it needs review because it can place real trades with high-value credentials while using static hard-coded F1 data.

Install only if you understand that this can trade real funds. Start in paper mode, review and update the hard-coded F1 standings before any live run, use a dedicated low-balance Solana wallet rather than a primary wallet, and verify the Simmer API key and simmer-sdk dependency before enabling --live or automaton execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill description understates the real operational scope: beyond signal generation, it can discover/import markets, monitor positions, execute exits, persist configuration, and perform live trading with an additional private key. In a trading skill handling high-value credentials, this mismatch can mislead users into granting trust and secrets they would not provide if the full behavior were clearly disclosed, increasing the chance of unintended live trades or broader account interaction.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The manifest says only SIMMER_API_KEY is required, while later sections also require SOLANA_PRIVATE_KEY for live trading. This inconsistency can cause operators to misjudge the sensitivity of the skill and supply a signing key without having been warned up front that the skill can use it for real-money transactions.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The manifest requests a SOLANA_PRIVATE_KEY even though the skill is described as a Kalshi F1 trader and only documents simmer-sdk as a dependency. Requiring an unrelated blockchain private key expands the credential blast radius and creates a serious secret-exposure risk if the entrypoint later accesses or exfiltrates that key, especially because private keys enable irreversible asset transfers.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The skill is configured as a managed automaton with credential requirements, but the manifest provides no explicit trigger constraints, activation guardrails, or scope limiting when the trading logic may run. In an automated trading context, weak activation boundaries can lead to unintended autonomous execution using sensitive credentials, increasing the risk of unauthorized trades or abuse if the skill is enabled in the wrong context.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script enables real-money trading solely via the `--live` flag and immediately initializes a live client and can place orders without any interactive confirmation, secondary approval, or simulation-first gate. In a trading skill that can be run manually, by automation, or from copied commands, this materially increases the chance of accidental live execution and unintended financial loss.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal