Back to skill

Security audit

Kalshi Econ Seasonal Trader

Security checks across malware telemetry and agentic risk

Overview

This is a mostly transparent automated trading skill, but it asks for high-value trading credentials and can place or exit real-money trades once live mode is enabled.

Install only if you intend to run an automated trading tool. Start in dry-run mode, use a dedicated low-balance wallet rather than a primary wallet, keep position limits low, verify the simmer-sdk dependency, and enable --live only when you accept that it can place and exit real USDC trades automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises access to environment-based secrets but does not declare explicit permissions, reducing transparency about its access to high-value credentials. In a trading skill that uses API keys and a private key, undeclared env access makes review and safe deployment harder and can lead operators to grant sensitive secrets without understanding the full trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill description understates operational behavior by omitting market import/discovery, position management, persistent configuration updates, optional journaling, and the live-trading dependency on a Solana private key. This is dangerous because users may authorize and run the skill under incomplete assumptions, exposing funds, credentials, and state changes beyond the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest says only SIMMER_API_KEY is required, but the documentation later reveals SOLANA_PRIVATE_KEY is also needed for live trading. For a financial skill, omission of a private key requirement is significant because it conceals the need to provide a wallet-signing secret that can directly move assets or authorize trades.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest requests a SOLANA_PRIVATE_KEY even though the skill is described as a Kalshi CPI seasonal trader and only documents a Kalshi-related API dependency. This credential mismatch is a strong sign of over-privileged secret collection: if the skill or any dependency accesses that key, the user could suffer unintended blockchain wallet compromise unrelated to the advertised function.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Requiring a private key credential without prominent disclosure or handling guidance is dangerous because users may supply a high-value wallet secret to a skill whose stated purpose does not justify it. In this context, the mismatch between a CPI/Kalshi trading bot and a Solana private key makes the secret request more suspicious and increases the chance of accidental credential exfiltration or misuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When run with --live, the skill can place real trades immediately without any interactive confirmation, approval gate, or second-factor check. In an agentic or automated environment, a mistaken invocation, prompt-injection-driven flag usage, or misconfiguration could result in unintended financial loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The exit path can automatically sell existing positions in live mode based solely on threshold logic, with no dedicated user confirmation. This increases the chance of unintended liquidation from logic errors, bad market data, or accidental execution in an automated setting.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.