ClawHub

Kalshi CLI Trading

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Kalshi trading helper, but it should be treated like financial-account access because it can place or cancel real-money orders when production mode is used.

Install only if you trust the external kalshi-cli source and want an agent to help operate a Kalshi account. Start in demo mode, do not use --prod or KALSHI_API_PRODUCTION=true unless you intend real-money trading, and check every market, side, quantity, price, --yes flag, and cancel-all command before approving execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README includes an explicit production trading example (`--prod orders create ...`) immediately after demo-mode examples, but it does not place a strong warning at the point of use about executing real-money trades. In an agent skill context, documentation often doubles as operational guidance for automated systems, so a copied command could cause unintended financial loss if run against a live account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cheat sheet presents order creation, cancel-all, and live-production invocation in a concise copy-pasteable format without adjacent safety warnings. Because this skill is specifically designed for trading and can place or cancel real orders, the lack of contextual warnings increases the chance that a user or agent will execute destructive financial actions unintentionally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal