Skillv1.1.5

ClawScan security

Kalshalyst · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 11:33 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with a Kalshi trading scanner/trader, but the registry metadata omits required credentials and the runtime instructions/code access local config files, sibling skill paths, and network endpoints (Anthropic, Kalshi, Polygon, Slack), so you should review and sandbox before enabling live trading.
Guidance: This skill is functionally coherent with a Kalshi contrarian scanner and auto-trader, but there are several red flags you should address before installing or running it live: - Registry metadata mismatch: the registry claims no required env vars, yet SKILL.md and the code require Kalshi API credentials, an Anthropic API key, and optionally Polygon and a Slack webhook. Ask the publisher why the registry metadata omits these, and don't trust the skill to auto-discover secrets. - Do not run the auto_trader in live mode until you: 1) review the code (especially scripts/auto_trader.py, kalshalyst.py, trade_ledger.py), 2) verify the safety caps meet your risk tolerance, and 3) run thorough dry-runs. The repo provides a --dry-run; use it first. - Sandbox and limit privileges: create Kalshi API credentials with the minimum scope possible, keep private keys in a restricted path you control, and avoid putting high-privilege credentials in agent-global env vars. Use a dedicated Anthropic key with a budget limit or rate-limiting, or use an isolated billing account. - Review local file access: the code reads/writes ~/.openclaw files and can load prompt-lab/exit_rules.md and sibling skill directories. Ensure those files don't contain unrelated secrets and consider running the skill in an isolated VM/container with only the minimal config files present. - Disable autonomous execution initially: keep auto-trader "enabled": false in config and do not schedule cron/launchd tasks until you are confident in behavior. Monitor logs under ~/.openclaw/logs for unexpected activity. - Verify origin and maintenance: the skill source is listed as "unknown" with no homepage. Prefer code from a verifiable maintainer; if you must use this skill, request the author to publish a trustworthy repo or sign the package. - Network endpoints: the skill will call Anthropic, Kalshi, and optionally Polygon and Slack. If you require stricter controls, run it in a network-limited environment or intercept outbound calls until you're satisfied. If you want, I can: list the exact files and functions that read local files or call external endpoints, summarize the auto-trader safety checks, or provide a short checklist to safely test this skill in a sandbox.

Review Dimensions

Purpose & Capability: noteThe skill claims to scan Kalshi markets, run contrarian LLM estimators (Anthropic Claude, Qwen fallback), compute Kelly sizing, and optionally execute trades — and the included code implements that. However, the registry metadata lists no required environment variables or credentials while the SKILL.md and code clearly require Kalshi API credentials, an Anthropic API key, and optionally Polygon and a Slack webhook. That mismatch is an incoherence worth flagging.
Instruction Scope: concernSKILL.md and the shipped scripts do more than just call Kalshi/Anthropic: they read and write files under ~/.openclaw (configs, logs, cache), look for user files like prompt-lab/exit_rules.md, import sibling directories (kalshi-command-center), and send notifications via Slack/webhook. The auto_trader script can place live orders via the Kalshi SDK and enforces safety caps, but it has direct access to local files and network endpoints beyond the narrowly stated 'scan' purpose (e.g., reading arbitrary exit_rules, loading other skill code). This broad local file access and trade-execution capability is scope-creep compared to a read-only scanner.
Install Mechanism: noteThere is no external installer; this is an instruction-and-code skill that ships Python scripts and a requirements.txt. No remote download URLs or installers are used (lower risk than arbitrary remote payloads), but the code expects you to pip-install packages (anthropic, kalshi-python, requests). Because code files are included, installing/running the skill will place executable logic on disk.
Credentials: concernThe credentials and env/config access that the skill asks for (Kalshi API key + private key file, Anthropic API key, optional Polygon API key, optional Slack webhook) are appropriate for trading + LLM calls. The problem is the registry declares no required env vars while the runtime needs secrets — this mismatch can be misleading. The code also looks for and can read local files (e.g., ~/.openclaw/config.yaml, prompt-lab/exit_rules.md) which may contain other secrets; a Slack webhook may be read from env or config. Require-review: ensure keys are scoped/limited and config files don't expose unrelated secrets.
Persistence & Privilege: noteThe skill is not marked always:true. It writes logs and state under ~/.openclaw and can modify its own config (e.g., auto_trader_config.json). It can be scheduled (cron/launchd) for autonomous operation and includes an auto-trader capable of executing orders. That persistence is expected for a trading agent but increases blast radius — treat live execution credentials with care and default to disabled until reviewed and sandboxed.