Kalshi
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running portfolio commands can expose balance, positions, orders, and trade history to the agent session and depends on protecting a Kalshi private key.
Portfolio commands authenticate using a locally stored Kalshi API key configuration and private key, which is sensitive financial-account access even though the shown code uses read-only account methods.
CREDENTIALS_PATH = Path.home() / ".kalshi" / "credentials.json" ... with open(key_path) as f:
private_key = f.read()
...
config.private_key_pem = private_keyUse the least-privileged or read-only Kalshi API key available, keep ~/.kalshi files permission-restricted, and only run portfolio commands when you intend to share that account view.
Installing external Python packages gives that code local execution rights, and the SDK would run in a context that can access the Kalshi key during portfolio commands.
The portfolio CLI requires an external Python SDK that must be installed separately, while the registry metadata lists no install specification; this is user-directed and purpose-aligned but worth verifying.
from kalshi_python import Configuration, KalshiClient ... print("Error: kalshi-python not installed. Run: pip install kalshi-python")Install dependencies in a virtual environment, verify package names and sources, and consider pinning trusted versions before using authenticated portfolio features.