Back to skill

Security audit

Kalshi Econ Fed Link Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed automated trading skill that defaults to dry-run, but it can place and sell real-money positions when explicitly run in live mode.

Install only if you intentionally want an automated trading bot. Test in dry-run first, keep cron disabled unless you want recurring execution, use a dedicated low-balance wallet/API key, review or pin simmer-sdk before providing live credentials, and understand that --live can place and close real USDC positions automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The manifest declares no permissions while the skill documentation clearly indicates access to sensitive environment variables, including trading credentials. This undermines informed consent and policy enforcement because an operator may install or run the skill without realizing it consumes high-value secrets needed for live trading.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose understates the operational behavior: this skill can discover markets, inspect positions, modify configuration, and execute live trades, while also relying on an additional private key not disclosed in the top-level description. In a trading context, behavior-description gaps are dangerous because users may expose funds and credentials under the false assumption that the skill is analysis-only or lower risk.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The manifest says only SIMMER_API_KEY is required, but the body later states that SOLANA_PRIVATE_KEY is also required for live trading. This inconsistency can cause operators to supply an additional high-value credential without it being surfaced in the formal metadata, weakening review, secret-scoping, and trust decisions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest requests a SOLANA_PRIVATE_KEY even though the stated strategy only mentions CPI/Fed market analysis through simmer-sdk, creating an unnecessary privilege mismatch. Requiring a blockchain private key for an automated trader materially increases risk because users may expose signing credentials without a clear, justified need, enabling unintended on-chain actions if the entrypoint uses that key.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill description says it uses CPI and Fed markets for trading, but the code also discovers and auto-imports external Kalshi markets into Simmer before analysis and trading. That expands the skill's operational scope and trust boundary without clear disclosure, which can surprise operators and increase exposure to unintended market ingestion or rate-limited/API-side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This skill declares automated trading capability and asks for a private key, but the manifest provides no visible disclosure that sensitive signing credentials will be used. In the context of an autotrading skill, undisclosed private-key use is especially dangerous because users may supply credentials without understanding that real funds or on-chain positions could be affected automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When run with --live, the skill places real orders immediately once its internal conditions are met, with no execution-time confirmation, preview, or kill-switch prompt. In an automated trading context, this can cause unintended real-money trades if the operator misconfigures the environment, strategy parameters, or invocation mode.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The exit logic can automatically sell existing positions in live mode once price thresholds are reached, again without a user confirmation at the moment of execution. Automatic liquidation is especially sensitive because it affects existing holdings and may realize losses or close positions unexpectedly under noisy market data.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.