Security audit

Kalshi Econ Nowcast Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed automated trading skill with real-money risk, but its high-impact behavior is purpose-aligned, off by default, and not backed by evidence of deception or exfiltration.

Use this only with a dedicated low-balance trading wallet and API key. Keep it in dry-run mode until you have reviewed simmer-sdk/DFlow handling of SOLANA_PRIVATE_KEY, confirmed the venue/account, and set conservative max position and trade limits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The manifest omits explicit permission/credential declarations beyond a single env var even though the skill documentation indicates additional environment-based capabilities and live trading behavior. In an agent marketplace, incomplete permission signaling is dangerous because operators may grant or trust the skill under a weaker risk model than its actual capabilities, especially where financial trading and private key use are involved.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose materially understates operational behavior: the skill not only prices markets but also discovers/imports markets, manages positions, performs exit logic, supports live execution, and relies on configured values instead of actually fetching the cited nowcast source. This mismatch can mislead users into enabling an autonomous trading agent with broader authority and different data provenance than advertised, increasing the risk of unintended live trades, poor model assumptions, and unsafe credential exposure.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The manifest says only SIMMER_API_KEY is required, but later documentation states SOLANA_PRIVATE_KEY is also needed for live trading. This inconsistency is security-relevant because private keys are highly sensitive credentials, and failing to declare them up front prevents proper review, secrets handling, and risk consent before installation or execution.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest requests SOLANA_PRIVATE_KEY even though the skill is described as a Kalshi CPI-bin trader using Cleveland Fed nowcast data and only documents SIMMER_API_KEY as relevant. Requesting an unrelated blockchain private key unnecessarily expands the secret exposure surface and could enable theft or unauthorized signing if the runtime makes that key available to the skill.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Declaring access to a Solana private key without any stated need is a genuine secret overreach vulnerability. In the context of an automated trading skill, unjustified access to a transferable-asset credential is especially dangerous because the skill runs unattended and could exfiltrate or misuse the key with little user visibility.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Passing --live immediately enables real order submission with no interactive confirmation, secondary approval, or explicit environment guard. In an agent/automation context, a mistaken invocation, prompt injection in higher-level orchestration, or operator error could cause unintended real-money trades, making this materially risky given the skill's direct financial side effects.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.