ClawHub

Kalshi Trading

v1.0.0

Trade on Kalshi prediction markets: check portfolio, search markets, analyze orderbooks, place/cancel orders, and manage binary contract positions.

7· 1.5k·6 current·6 all-time
by@ghsmc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Kalshi trading) align with required binaries (node), required env vars (API key ID and path to private key), and the code (signing requests, calling Kalshi endpoints). All declared requirements are expected for a signed-requests trading CLI.
Instruction Scope
SKILL.md and the scripts limit actions to Kalshi API usage (search, market, orderbook, portfolio, orders, place/cancel orders). The docs explicitly require user confirmation before trades. The runtime instructions do not ask the agent to read unrelated files or contact unexpected external endpoints.
Install Mechanism
No install spec (instruction-only / bundled scripts). No downloads or archive extraction are requested, so there is no high-risk installer activity.
Credentials
Requires two env vars: KALSHI_API_KEY_ID and KALSHI_PRIVATE_KEY_PATH. These are appropriate and necessary for RSA-PSS signing, but the private key file is highly sensitive—the skill reads it from disk to create signatures. Users should ensure the key file is stored with tight permissions and not shared; only provide keys you intend the CLI to sign requests with.
Persistence & Privilege
always is false and the skill does not request persistent or elevated system-wide privileges. It does spawn a child node process (quick-analysis) to call the bundled CLI — this is consistent with the helper script's purpose and not an unexplained privilege escalation.
Assessment
This skill appears to be what it claims: a Node.js CLI for Kalshi that signs requests with an RSA private key. Before installing, (1) verify you trust the skill source and review the included scripts (they are bundled and runnable); (2) keep the private key file secure (chmod 600, store in a restricted path) because the CLI reads it to sign requests; (3) prefer using Kalshi's demo environment for testing (the script defaults to production); (4) confirm trades interactively — SKILL.md requires you to always confirm before placing orders, but the CLI can accept direct args, so your agent or UI must enforce confirmation; and (5) revoke or rotate API keys if you suspect misuse.

Like a lobster shell, security has layers — review code before you run it.

latestvk973y6gb9sy92wdm9b13a6007d815gm8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binsnode
EnvKALSHI_API_KEY_ID, KALSHI_PRIVATE_KEY_PATH
Primary envKALSHI_API_KEY_ID

Comments