Kalshi Trading

The skill bundle is designed to interact with the Kalshi API for trading prediction markets. It explicitly declares its need for sensitive environment variables (`KALSHI_API_KEY_ID`, `KALSHI_PRIVATE_KEY_PATH`) and uses them for RSA-PSS signing of requests to the legitimate Kalshi API endpoint (`https://api.elections.kalshi.com`). The `SKILL.md` file contains security-enhancing instructions for the AI agent, such as requiring user confirmation before placing trades and verifying positions before selling. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or obfuscation. The `quick-analysis.mjs` script uses `node:child_process.spawn` to call `kalshi-cli.mjs` internally, passing arguments as an array, which prevents shell injection at that point, and `kalshi-cli.mjs` correctly uses `encodeURIComponent` for URL parameters, mitigating further injection risks.