Security audit

Kalshi Command Center

Security checks across malware telemetry and agentic risk

Overview

This is a real Kalshi trading tool, but it needs Review because it can place live financial orders while overstating some safety controls.

Install only if you are comfortable giving an agent Kalshi account access capable of placing and canceling real orders. Treat KALSHI_KEY_ID and KALSHI_KEY_PATH as sensitive secrets, require manual confirmation before live trades, and do not rely on the advertised $50 daily loss cutoff until the code enforces it before every order.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The bug-fix protocol instructs the agent to edit files on disk and stage git commits, which exceeds the stated purpose of a trading command skill and expands the trust boundary into persistent local modification. Even if framed as maintenance, this creates an avenue for unauthorized source changes, persistence, and supply-chain impact in both the source tree and installed copy.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document presents the $50 daily loss limit as a hard pre-trade control, but the same section says it is only applied via Kelly sizing if available, which means the control may not actually block trades. In a trading skill, ambiguous risk documentation can cause operators or downstream components to rely on protections that are not enforced, leading to uncontrolled losses and unsafe automated execution.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: Later sections describe the same $50 daily loss threshold as a hard stop, conflicting with earlier language that makes it conditional or optional. Because this skill is designed for live trade execution, such inconsistencies materially increase the chance that users, agents, or maintainers assume losses are capped when they are not, undermining the safety model of the command center.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: This is a true issue: the documentation presents contradictory behavior for the liquidity component and explicitly shows a raw log-based value being multiplied by 25, which can inflate the composite score far beyond its stated 0-100 range. In a trading command skill, that inconsistency can cause mis-ranking of markets and unsafe execution decisions, undermining the built-in risk controls by steering the agent toward falsely 'high edge' trades.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill advertises a $50 daily loss kill switch, but `_check_risk()` only enforces per-trade cost and per-order quantity. That means automated or repeated trades can continue after cumulative losses exceed the claimed threshold, creating a materially misleading safety control in a live trading skill.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The module-level documentation claims built-in risk management including a daily loss cutoff that is not actually present in the execution path. In a trading skill, inaccurate safety claims are dangerous because operators may rely on protections that do not exist and allow unattended loss accumulation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users to configure Kalshi API credentials and use commands that can place real-money trades, but it does not prominently warn that these actions may execute live financial transactions or that the credentials are sensitive secrets. In an agent-driven trading skill, this omission increases the risk of accidental trading, unsafe delegation to an autonomous agent, and credential mishandling such as exposing key material or storing it insecurely.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The protocol directs the agent to write changes directly to source files without requiring user warning or confirmation. That is dangerous because it authorizes silent persistent modification of executable code, allowing accidental breakage or abuse to survive beyond the current session without the operator's informed consent.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: `execute_pick_command()` can automatically size and submit real buy orders from cached picks without a confirmation gate at the moment of execution. In an agent-driven trading context, lack of a final confirmation or explicit dry-run/armed mode increases the chance of unintended irreversible trades from mis-parsed commands, stale cache entries, or prompt/agent mistakes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.