ClawHub

Kalshi Fed Speech Signal Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed dry-run-by-default trading skill that can make real Kalshi trades when live mode and credentials are provided.

Treat this as a real-money trading tool. Start in dry-run mode, use a dedicated low-balance wallet and scoped API key, do not provide SOLANA_PRIVATE_KEY unless you intend to enable live trading, review simmer-sdk if you need full custody assurance, and set conservative position and trade limits before scheduling or running it under automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill documentation indicates access to sensitive environment variables such as SIMMER_API_KEY and SOLANA_PRIVATE_KEY, but the manifest does not declare corresponding permissions. That creates a transparency and governance gap: operators may approve or run the skill without understanding that it can read high-value credentials and potentially use them for live trading. In a trading skill, undeclared env access is more dangerous because the referenced secrets directly authorize financial actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior extends beyond simple sentiment-based analysis into market discovery/import, position management, exit logic, persistent configuration changes, reporting, optional journaling, and live trading with a private key. This mismatch weakens informed consent and security review because users may trust the narrow description while the skill can perform materially broader and riskier actions, including real financial transactions. In this context, understatement is especially dangerous because the omitted behavior involves credential use and asset movement.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The manifest metadata says the skill requires SIMMER_API_KEY, while the body also states that SOLANA_PRIVATE_KEY is required for live trading. This inconsistency can cause operators, scanners, or approval workflows to underestimate the credential exposure and operational risk, particularly where manifests are treated as the source of truth. Because the missing credential is a private key tied to real trading, the context increases the severity beyond a routine documentation error.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The manifest requests a SOLANA_PRIVATE_KEY even though the stated skill purpose is Kalshi trading from sentiment analysis and only mentions SIMMER_API_KEY/simmer-sdk. Requiring an unrelated private key expands the credential attack surface and could enable unauthorized blockchain transactions or exfiltration if the runtime or downstream code accesses that secret.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest's declared requirements exceed the advertised scope by adding a Solana credential not disclosed in the description. This mismatch is dangerous because operators may supply a sensitive key under false assumptions, creating an opportunity for hidden functionality, secret misuse, or later code changes that leverage the credential without informed consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The strategy computes aggregate sentiment by pooling all Fed rate market question text, then uses that score to price and trade rate-cut markets. This materially exceeds the stated behavior of trading on Fed speech sentiment signals, creating a capability mismatch that can cause users or orchestrators to grant trust and permissions based on an inaccurate description.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill discovers and imports markets into Simmer before trading, which is an additional side effect not disclosed by the description. Hidden import/write actions are dangerous in agent settings because they expand the skill's operational scope and may trigger external state changes, rate limits, or asset exposure beyond what a caller expects from a 'trading-only' tool.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal