Back to skill

Security audit

Prediction Market Arbiter

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-related to Kalshi market work, but it handles financial credentials and persistent local data with too little disclosure and a dry-run mode that still writes files.

Install only if you are comfortable giving it access to Kalshi-related credentials and local cache files. Use a dedicated, least-privileged API key if possible, store private keys outside the repo with restricted permissions, and delete or relocate cache files if you do not want trading/activity data persisted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation clearly describes network access, local file reads for a private key, and file writes for cached results/logging, yet it declares no permissions. This creates a transparency and consent problem: users or platforms may approve the skill without realizing it can access credentials, contact external APIs, and persist data locally.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The usage text promises that --dry-run only displays matches and implies no lasting side effects, but the implementation still creates ~/.openclaw/state/arbiter_cache.json and ~/.arbiter_cache.json before checking dry_run. This can surprise users, leave persistent artifacts on disk, and violate expectations in testing or restricted environments where dry-run should be non-mutating.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to store a Kalshi API key ID and private key path in configuration and separately describes writing match results to disk, but it does not warn about protecting credential material or the sensitivity of persisted local data. This increases the risk of insecure key storage, accidental exposure through backups/shared directories, or unintended disclosure of trading activity and schedules.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.