Back to skill

Security audit

Kalshi Eth Gas Correlation Trader

Security checks across malware telemetry and agentic risk

Overview

Review before installing: this trading bot can use real credentials and place real trades, while its code appears to estimate gas from market text rather than actual on-chain gas data.

Install only if you are comfortable reviewing and operating an advanced financial trading bot. Keep it in dry-run until you verify the strategy, use a dedicated low-balance wallet and limited API key, keep trade limits low, and do not assume live trades are based on actual on-chain gas data unless the code is changed to fetch and validate that feed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation declares access to sensitive environment variables but does not clearly declare corresponding permissions or fully enumerate all secrets it expects. In a trading skill, hidden or understated env access is dangerous because operators may provide credentials without understanding the full secret exposure surface, increasing the chance of unintended secret use or abuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose says the skill trades based on on-chain gas prices, but the described behavior includes market discovery, position management, config mutation, and use of an additional private key not disclosed in the top-level description. This mismatch is dangerous because users may trust the stated narrow strategy while the skill actually has broader trading and credential-handling capabilities, leading to unauthorized or misunderstood financial actions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The manifest states only SIMMER_API_KEY is required, while later setup text also requires SOLANA_PRIVATE_KEY for live trading. Conflicting credential requirements are dangerous because they obscure the presence of a high-value wallet secret, making users more likely to supply it without adequate review or to misunderstand when live trading authority is enabled.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The metadata and setup sections contradict each other about required environment variables, which undermines operator understanding of the trust boundary for the skill. In a financial automation context, ambiguity around secrets is particularly risky because it can cause accidental provisioning of unnecessary high-privilege credentials or unsafe deployment assumptions.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest requests a SOLANA_PRIVATE_KEY even though the stated skill purpose is trading Kalshi ETH markets based on Ethereum gas prices, which does not inherently require Solana signing capability. Unnecessary secret collection materially increases the blast radius of a compromise and may enable unauthorized access to a user's Solana wallet if the skill or its dependencies mishandle that key.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Requesting a blockchain private key that is unrelated to the declared ETH-gas/Kalshi strategy is a strong indicator of unjustified secret access. In this context, the mismatch makes the request more dangerous, because users may provide a sensitive wallet credential under false assumptions and expose funds to theft or unauthorized transactions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill claims to trade based on on-chain gas prices, but it never retrieves any blockchain gas data and instead fabricates a signal from market-question keywords. This is dangerous because users may enable live trading under the false belief that decisions are grounded in external market data, while the strategy is actually self-referential and easily produces unjustified trades.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest understates the sensitive credentials needed compared with the markdown instructions, specifically omitting a private key requirement from the primary metadata. This is dangerous because downstream tooling or reviewers may rely on manifest metadata for risk assessment and miss that the skill may consume wallet credentials capable of authorizing real trades.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
In live mode, the script can place real buy and sell orders immediately based only on the --live flag, with no interactive confirmation, allowlist, or secondary approval. In a trading skill, this increases the risk of accidental execution from operator error, automation misconfiguration, or misleading strategy behavior, especially because the underlying signal logic is weak and misrepresented.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.