Security audit

Kalshi Fed Data Reaction Trader

Security checks across malware telemetry and agentic risk

Overview

This is a high-risk trading skill, but its sensitive behavior is disclosed, dry-run by default, and aligned with its stated purpose.

Install only if you intend to run an automated trading tool. Keep it in dry-run mode first, review simmer-sdk before supplying live credentials, and use dedicated low-balance trading credentials rather than a main wallet or broad account key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation indicates use of environment-based credentials (`SIMMER_API_KEY`, and elsewhere `SOLANA_PRIVATE_KEY`) but the manifest does not declare corresponding permissions. That weakens reviewability and least-privilege controls, making it easier for an agent or platform to grant secret access implicitly without clear user awareness.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The declared description understates the skill's operational scope: beyond signal generation, it can discover/import markets, manage and exit positions, support live execution, and mutate persisted configuration. In a trading skill handling real funds and private keys, this mismatch is dangerous because reviewers may authorize it expecting analysis-only behavior while it can place and manage live trades or alter future behavior.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The manifest says only `SIMMER_API_KEY` is required, but the documentation later states `SOLANA_PRIVATE_KEY` is also required for live trading. This inconsistency can mislead users and automated policy systems about the sensitivity of the skill, increasing the chance that a highly privileged wallet key is supplied without proper review or controls.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The manifest requests a SOLANA_PRIVATE_KEY even though the stated skill purpose is trading Kalshi Fed-rate markets via simmer-sdk, creating a strong mismatch between declared functionality and required secret scope. Unnecessary private-key collection is dangerous because it expands the blast radius from market-trading permissions to full blockchain wallet compromise if the key is accessed, logged, or later abused.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The manifest's dependency and secret requirements conflict with the published description by requiring an additional secret not disclosed in the skill summary. This is dangerous because users may provide sensitive credentials under false assumptions about what the skill does, enabling hidden capability expansion and reducing informed consent around secret exposure.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This skill is configured for automated trading and requests a private key, yet the manifest provides no clear warning to users that sensitive credentials may authorize financial or wallet actions. In a trading context, absent disclosure is especially risky because users may unknowingly enable automated transactions or expose a reusable signing key with direct monetary consequences.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.