Kalshi
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: kalshi Version: 1.1.0 The skill bundle provides read-only integration with the Kalshi prediction market API. It uses standard Python libraries and the official Kalshi SDK, making network calls exclusively to the legitimate Kalshi API. While it handles sensitive API credentials (key ID and private key) for portfolio access, these are stored locally in the user's home directory with appropriate secure permissions (0o600) and are not exfiltrated or misused. The `SKILL.md` documentation is transparent about its read-only nature and credential requirements, and there is no evidence of prompt injection attempts, malicious execution, or unauthorized actions beyond the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running portfolio commands can expose balance, positions, orders, and trade history to the agent session and depends on protecting a Kalshi private key.
Portfolio commands authenticate using a locally stored Kalshi API key configuration and private key, which is sensitive financial-account access even though the shown code uses read-only account methods.
CREDENTIALS_PATH = Path.home() / ".kalshi" / "credentials.json" ... with open(key_path) as f:
private_key = f.read()
...
config.private_key_pem = private_keyUse the least-privileged or read-only Kalshi API key available, keep ~/.kalshi files permission-restricted, and only run portfolio commands when you intend to share that account view.
Installing external Python packages gives that code local execution rights, and the SDK would run in a context that can access the Kalshi key during portfolio commands.
The portfolio CLI requires an external Python SDK that must be installed separately, while the registry metadata lists no install specification; this is user-directed and purpose-aligned but worth verifying.
from kalshi_python import Configuration, KalshiClient ... print("Error: kalshi-python not installed. Run: pip install kalshi-python")Install dependencies in a virtual environment, verify package names and sources, and consider pinning trusted versions before using authenticated portfolio features.