Kalshi
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent read-only Kalshi market and portfolio viewer, with the main things to notice being local Kalshi API key use and Python package dependencies.
Install this only if you want a local Python-based Kalshi viewer. Public market commands do not need authentication, but portfolio commands require creating and storing a Kalshi API key/private key and will reveal financial account information such as balances and positions. Protect the key, use least-privileged credentials if available, and verify Python dependencies before running authenticated commands.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running portfolio commands can expose balance, positions, orders, and trade history to the agent session and depends on protecting a Kalshi private key.
Portfolio commands authenticate using a locally stored Kalshi API key configuration and private key, which is sensitive financial-account access even though the shown code uses read-only account methods.
CREDENTIALS_PATH = Path.home() / ".kalshi" / "credentials.json" ... with open(key_path) as f:
private_key = f.read()
...
config.private_key_pem = private_keyUse the least-privileged or read-only Kalshi API key available, keep ~/.kalshi files permission-restricted, and only run portfolio commands when you intend to share that account view.
Installing external Python packages gives that code local execution rights, and the SDK would run in a context that can access the Kalshi key during portfolio commands.
The portfolio CLI requires an external Python SDK that must be installed separately, while the registry metadata lists no install specification; this is user-directed and purpose-aligned but worth verifying.
from kalshi_python import Configuration, KalshiClient ... print("Error: kalshi-python not installed. Run: pip install kalshi-python")Install dependencies in a virtual environment, verify package names and sources, and consider pinning trusted versions before using authenticated portfolio features.