Back to skill

Security audit

Kalshi F1 Teammate Anti Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed automated trading skill that defaults to dry run and only places real trades when run with the live flag, but it handles high-value trading credentials.

Install only if you intend to use an automated trading tool. Start in dry-run mode, review the signals, and use --live only when you are ready for real USDC trades. Use a dedicated low-balance Solana wallet and a scoped Simmer API key where possible, and verify the simmer-sdk dependency before providing credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation declares required environment variables and trading credentials, but no explicit permissions model is declared. In an agent ecosystem, undeclared access to environment secrets is security-relevant because it obscures the true trust boundary and can cause operators to expose high-value credentials without clear consent. The risk is amplified here because the env capability includes API and private-key material tied to financial trading.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description understates the skill's operational behavior: it does more than generate anti-correlation trade signals, including market discovery/import, reading positions, and actively selling/exiting positions. Description-behavior mismatches are dangerous because users may authorize or run the skill under an incomplete understanding of its actions, especially when those actions can move funds or close live positions. In a trading skill handling real credentials, hidden or under-documented execution paths materially increase financial and operational risk.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The skill metadata says it requires only SIMMER_API_KEY, while the body also states SOLANA_PRIVATE_KEY is required for live trading. Inconsistent credential disclosure is a security issue because it can mislead operators during review, deployment, and secret provisioning, and may cause a sensitive wallet key to be introduced later without prior scrutiny. Although this is primarily a documentation/integrity flaw, the context makes it meaningful because the missing credential is a private key for real-money trading.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest requests a SOLANA_PRIVATE_KEY even though the skill description and stated trading purpose are limited to Kalshi F1 championship trading and only mention SIMMER_API_KEY. Requesting an unrelated blockchain private key creates unnecessary access to a highly sensitive credential that could be exfiltrated or abused to transfer funds, making the skill materially more dangerous than its declared functionality suggests.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The manifest requires a raw private key but provides no user-facing disclosure explaining why such a credential is needed or what actions it could authorize. In the context of an automated trading skill, silently requesting a blockchain private key is especially dangerous because users may supply a wallet credential that enables unauthorized asset transfers beyond the advertised Kalshi trading behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The --live path places real trades immediately once invoked, with no interactive confirmation, no summary review, and no secondary safeguard beyond command-line intent. In an automation or copy-paste context, a mistaken flag, wrapper script, or misconfigured job could trigger unintended financial transactions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.