Skillv1.1.0

ClawScan security

Kalshi Command Center · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 3:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (trading on Kalshi) is coherent with the code, but registry metadata omits required credentials and the runtime instructions/code demand file and network access that should have been declared — combined with autonomous trade execution capability this is risky and needs careful review before use.
Guidance: Do not install/use this skill without manual code review and key management plans. Specific steps: - Verify origin and author: the source/homepage is unknown; prefer published, auditable packages for trading. - Inspect scripts/kalshi_commands.py thoroughly (search for network endpoints, unexpected POSTs, hardcoded URLs). Confirm BASE_URL is correct for Kalshi and no hidden endpoints exist. - The skill expects KALSHI_KEY_ID and a private key file (KALSHI_KEY_PATH) even though registry metadata omits them — treat credential requests as required. Create a limited-permission test API key (or sandbox account) before providing production credentials. - Protect the private key: store it with correct filesystem permissions, and avoid putting it in world-readable locations. Consider using a short-lived or scoped credential if Kalshi supports it. - The skill writes audit logs and cache to ~/.openclaw; review these files for sensitive data and set appropriate permissions. If you don't want persistent logs, run the skill in an isolated environment/container and redirect logs. - The SKILL.md includes explicit instructions to edit the script to bypass filters; do not run or accept advice that encourages bypassing built-in safety without manual review. - Avoid running the provided pip install line that uses --break-system-packages; instead install dependencies in a virtualenv or container and pin/inspect packages (kalshi-python, requests, pyyaml). Validate the kalshi-python package authenticity. - If you plan to allow autonomous agent invocation with this skill, require explicit confirm prompts for any trade placement, or disable autonomous invocation until you trust the code and credentials. If you cannot review the code or create a test account, do not provide real API credentials. Consider running the skill in a sandboxed VM/container and monitoring network calls and filesystem changes before using with a real account.

Review Dimensions

Purpose & Capability: concernThe skill's name/description match the included code (portfolio, scan, execute). However the registry metadata declares no required environment variables or primary credential, while both SKILL.md and scripts (kalshi_commands.py) clearly require KALSHI_KEY_ID and a private key file (KALSHI_KEY_PATH or config entry). That mismatch is an incoherence: a trading client must require credentials and should have declared them.
Instruction Scope: concernRuntime instructions and the script instruct the agent to read ~/.openclaw/config.yaml (and a legacy alternate path), read a private key file, write audit logs (~/.openclaw/logs/trades.jsonl), and can place live trades via the Kalshi API. SKILL.md also instructs editing the script to bypass filters (explicit bypass guidance). These are within the claimed trading purpose but expand scope to file I/O, persistent logs, and code modification — all sensitive for a skill that can execute trades.
Install Mechanism: noteThere is no formal install spec (instruction-only), but a requirements.txt and inline pip install instructions exist. The pip suggestion in the script header includes a disruptive flag (--break-system-packages) which is unusual and concerning. No remote downloads or obscure URLs are present in the manifest.
Credentials: concernThe code requires Kalshi API credentials and local private key file access — appropriate for a trading client — but the registry metadata failed to declare these env vars/primary credential. The script also probes an unrelated legacy config path (~/.config/imsg-watcher/config.yaml), which is unexpected and could lead to accidental leakage of other configs. Requested file and path access (private key, ~/.openclaw keys, logs) is sensitive and should be explicit in metadata and reviewed.
Persistence & Privilege: noteThe skill is not force-installed (always: false) but will create and write logs and cache under ~/.openclaw and may persist research cache and trade audit logs. The skill can perform autonomous model invocation (platform default) and, if provided credentials, can place real trades — this combination increases impact and requires you to be explicit about whether the agent may act without manual confirmation.