Portfolio Drift Monitor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Kalshi portfolio monitor, but it under-discloses Slack webhook sending of portfolio details and includes out-of-scope instructions for persistent code changes.

Review carefully before installing. Use the least-privileged Kalshi API key available, protect the private key and snapshot file, and only set OPENCLAW_SLACK_WEBHOOK or slack_webhook_url if you explicitly want portfolio details sent there. Ignore the agent bug-fix protocol unless you separately authorize code edits and commits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

Tainted flow: 'req' from os.getenv (line 76, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: data=payload.encode("utf-8"), headers={"Content-Type": "application/json"} ) with urllib.request.urlopen(req, timeout=5) as response: response.read() except Exception: # Notification failure should never crash the monitor
Confidence: 95% confidence
Finding: with urllib.request.urlopen(req, timeout=5) as response:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares no permissions despite clearly describing use of environment variables, local file reads/writes, and external API/network access. That mismatch prevents informed consent and weakens any sandbox or policy enforcement that depends on manifest-declared capabilities, increasing the chance of unintended credential access or persistent state changes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: A description-behavior mismatch is security-relevant because users may approve a portfolio-monitoring skill without realizing it can also send outbound Slack messages and read webhook configuration from environment or config files. Hidden notification/exfiltration paths materially expand the attack surface and could leak portfolio data or be abused to send unauthorized messages.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The README tells users to set Kalshi API credential environment variables but provides no guidance on secure storage, least-privilege handling, or avoiding accidental exposure in shells, logs, or shared deployment environments. In a trading-related skill, these credentials can grant access to sensitive account data or actions, so normalizing unsafe setup practices increases the chance of credential leakage.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough that normal conversation like 'portfolio alert' or 'kalshi positions' could unintentionally invoke the skill. Accidental activation matters here because the skill accesses credentials, performs network calls, and writes persistent state, so a false trigger can cause real side effects.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The skill mentions persistent local state but does not clearly warn that each run overwrites the baseline snapshot on disk. This can surprise users, erase useful history, and make troubleshooting or forensic review harder if the file is silently replaced on every execution.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The skill instructs users to provide API credential environment variables and a private key path without an explicit warning that these are sensitive secrets. In a skill that also uses file and network access, inadequate credential-handling guidance increases the risk of accidental exposure, unsafe logging, or misconfigured file permissions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The troubleshooting guidance tells users to print sensitive authentication material to the terminal using `cat $KALSHI_KEY_PATH | head -1`. Even though it only shows the first line, this still normalizes exposing private-key contents in shell history, logs, screen recordings, terminal scrollback, or shared sessions, and can encourage users to inspect more of the key interactively.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Agent Bug-Fix Protocol **CRITICAL**: When you (the agent) discover and fix a bug in any script during a conversation, you MUST write the fix to the source file on disk using file editing tools. Showing the fix in chat is NOT sufficient — the next scheduled run starts a fresh session and will not have your conversational fix. Checklist after finding a bug: 1. Edit the actual `.py` file on disk (e.g., `~/skills/portfolio-drift-monitor/scripts/portfolio_drift.py`)
Confidence: 89% confidence
Finding: write the fix to the source file on disk using file editing tools. Showing the fix in chat is NOT sufficient — the next scheduled run starts a fresh session and will not have your conversational fix.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal