Back to skill

Security audit

Kalshi Fed Data Reaction Trader

Security checks across malware telemetry and agentic risk

Overview

This is a high-risk trading skill, but its sensitive behavior is disclosed, dry-run by default, and aligned with its stated purpose.

Install only if you intend to run an automated trading tool. Keep it in dry-run mode first, review simmer-sdk before supplying live credentials, and use dedicated low-balance trading credentials rather than a main wallet or broad account key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation indicates use of environment-based credentials (`SIMMER_API_KEY`, and elsewhere `SOLANA_PRIVATE_KEY`) but the manifest does not declare corresponding permissions. That weakens reviewability and least-privilege controls, making it easier for an agent or platform to grant secret access implicitly without clear user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared description understates the skill's operational scope: beyond signal generation, it can discover/import markets, manage and exit positions, support live execution, and mutate persisted configuration. In a trading skill handling real funds and private keys, this mismatch is dangerous because reviewers may authorize it expecting analysis-only behavior while it can place and manage live trades or alter future behavior.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The manifest says only `SIMMER_API_KEY` is required, but the documentation later states `SOLANA_PRIVATE_KEY` is also required for live trading. This inconsistency can mislead users and automated policy systems about the sensitivity of the skill, increasing the chance that a highly privileged wallet key is supplied without proper review or controls.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The manifest requests a SOLANA_PRIVATE_KEY even though the stated skill purpose is trading Kalshi Fed-rate markets via simmer-sdk, creating a strong mismatch between declared functionality and required secret scope. Unnecessary private-key collection is dangerous because it expands the blast radius from market-trading permissions to full blockchain wallet compromise if the key is accessed, logged, or later abused.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest's dependency and secret requirements conflict with the published description by requiring an additional secret not disclosed in the skill summary. This is dangerous because users may provide sensitive credentials under false assumptions about what the skill does, enabling hidden capability expansion and reducing informed consent around secret exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This skill is configured for automated trading and requests a private key, yet the manifest provides no clear warning to users that sensitive credentials may authorize financial or wallet actions. In a trading context, absent disclosure is especially risky because users may unknowingly enable automated transactions or expose a reusable signing key with direct monetary consequences.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.