Security audit

Kalshi Econ Revision Drift Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed dry-run-first trading skill, but live mode can spend real funds and requires high-value credentials.

Install only if you intend to evaluate or run a trading bot. Use dry-run first, do not pass --live until you have reviewed the strategy and simmer-sdk, and use a dedicated low-balance wallet plus a scoped/revocable API key for any live trading.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The manifest declares no permissions while the skill explicitly requires environment-based secrets such as SIMMER_API_KEY and, elsewhere in the file, SOLANA_PRIVATE_KEY. That mismatch weakens review and consent because operators may install or trust the skill without realizing it consumes high-value credentials for trading actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill description understates operational scope: beyond generating a trading signal, it can discover/import markets, inspect positions, execute exits/sells, update configuration, and use a blockchain private key for live trading. In a financial-trading skill, behavior-description mismatches are especially dangerous because users may expose credentials or enable live mode without understanding the full set of account-affecting actions.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The metadata says only SIMMER_API_KEY is required, but the documentation later states SOLANA_PRIVATE_KEY is also required for live trading. This contradiction can cause unsafe deployment decisions, with users supplying a highly sensitive signing key without prior warning or, conversely, misunderstanding what authority the skill needs to place real trades.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The manifest requests SOLANA_PRIVATE_KEY even though the skill is described as a Kalshi CPI trading strategy using simmer-sdk, creating a mismatch between declared functionality and requested secrets. An unnecessary blockchain private key materially expands the blast radius: if the skill code, its dependencies, or future updates access that variable, a user's wallet could be drained or abused for unauthorized signing.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Requesting a private key for a strategy that ostensibly trades Kalshi CPI bin markets is an unjustified sensitive capability and should be treated as highly dangerous. In this context, the skill's stated purpose does not explain why raw signing authority over Solana assets is needed, so the key request could enable theft, unauthorized transactions, or covert use of the wallet if the skill or a dependency is compromised.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The manifest requires a private key environment variable without any user-facing warning, justification, or disclosure, which prevents informed consent for a highly sensitive secret. Even if the key were somehow needed, silently requesting it in a trading skill increases the chance that users provide a valuable wallet credential without understanding the risk or necessity.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.