Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Portfolio Drift Monitor
v1.1.4Real-time Kalshi portfolio drift alerts — monitors positions and fires when any moves beyond your configured threshold since last check. Snapshot comparison,...
⭐ 0· 305·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The script and SKILL.md align with the stated purpose (reading Kalshi positions, computing drift, storing a local snapshot). However the registry metadata lists no required environment variables or credentials while both SKILL.md and the script require KALSHI_KEY_ID and KALSHI_KEY_PATH — a metadata/documentation mismatch that can mislead users about required secrets.
Instruction Scope
Runtime instructions and code stay within the monitoring purpose (fetch portfolio, compare, save snapshot). The script also supports sending alerts to a Slack webhook (reads OPENCLAW_SLACK_WEBHOOK or ~/.openclaw/config.yaml slack_webhook_url) — this outbound notification channel is not clearly documented in SKILL.md's prerequisites and represents an additional external endpoint where portfolio data could be posted if you configure it.
Install Mechanism
This is marked instruction-only (no install spec) but ships with requirements.txt and Python code that depends on kalshi-python and pyyaml. There is no automated install step declared — the agent/environment will need the SDK and pyyaml installed manually. The lack of a declared install mechanism increases the chance of runtime failures or hidden manual steps.
Credentials
Requested secrets are proportional to the task: a Kalshi API key ID and path to the private key are required and expected. The script will also read ~/.openclaw/config.yaml (which may contain other settings) and supports OPENCLAW_SLACK_WEBHOOK for notifications; these additional config sources are not fully documented in the registry metadata and could expose portfolio output to an external webhook if set.
Persistence & Privilege
The skill writes a local state file at ~/.openclaw/state/portfolio_snapshot.json (documented in SKILL.md). It does not request always: true, does not modify other skills, and does not require elevated system privileges. Ensure the snapshot file permissions are acceptable for your threat model as it holds portfolio metadata.
What to consider before installing
Before installing or enabling this skill: 1) Understand it requires your Kalshi credentials (KALSHI_KEY_ID and KALSHI_KEY_PATH) — do not share them. 2) The package includes requirements.txt but no automated install spec; install kalshi-python and pyyaml in a controlled environment (virtualenv) before running. 3) The script can POST alerts to a Slack webhook if OPENCLAW_SLACK_WEBHOOK or a slack_webhook_url in ~/.openclaw/config.yaml is present — verify any webhook URL you add because it will receive portfolio alert contents. 4) The skill stores portfolio snapshots at ~/.openclaw/state/portfolio_snapshot.json — review and lock file permissions if this is sensitive. 5) Registry metadata omitted the required env vars; double-check SKILL.md and the script for required configuration before trusting registry claims. 6) If you do not want autonomous checks or outbound notifications, disable autonomous invocation or avoid configuring webhooks and scheduling. Finally, verify the Kalshi API host being used and consider running the script in an isolated environment until you are comfortable with its behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk978pnjx9tf5dpgqbzhfgf3r3582xqag
License
MIT-0
Free to use, modify, and redistribute. No attribution required.