ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kalshi Event Contract Tracker

v1.1.0

Track Kalshi event contract prices, order book depth, and recent trades. Covers sports, politics, economics, and weather markets. Converts contract prices to...

0· 80·0 current·0 all-time
by@rsquaredsolutions2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md clearly implements a Kalshi read-only tracker (prices, order book, trades) and uses curl/jq to call Kalshi APIs — this matches the name and description. However, the registry metadata at the top of the report lists no required env vars or primary credential, while the SKILL.md declares a Kalshi API key (KALSHI_API_KEY). That mismatch is unexpected and should be corrected.
Instruction Scope
Instructions only call Kalshi API endpoints, parse results with jq (and a small Python snippet), and present read-only market data. The SKILL.md does not instruct the agent to read local files, other credentials, or send data to third-party endpoints outside the Kalshi API. Error handling mentions the API key and 401s. Scope appears limited to the stated purpose.
Install Mechanism
This is instruction-only with no install spec or code to download and execute; that is the lowest-risk install model.
!
Credentials
The SKILL.md requires KALSHI_API_KEY (Authorization: Bearer $KALSHI_API_KEY) but the skill registry metadata reported no required env vars or primary credential — a clear inconsistency. Also, the runtime uses python3 in a conversion step but python3 is not listed in the required binaries (only curl and jq are listed). These mismatches could lead to runtime failures or indicate the package metadata was not kept in sync with the instructions.
Persistence & Privilege
always:false and no install step that modifies agent configuration. The skill can be invoked autonomously (default), which is normal — there is no elevated persistence requested.
What to consider before installing
This skill appears to do what it says (read-only Kalshi market queries), but before installing: 1) verify the author/source since the registry metadata does not declare the KALSHI_API_KEY even though SKILL.md requires it; that suggests the listing might be incomplete or stale. 2) Ensure python3 is available on the agent environment (SKILL.md calls a python3 snippet) or ask the publisher to add python3 to the required binaries. 3) Confirm you are comfortable providing a Kalshi API key (KALSHI_API_KEY) and limit the key's scope if possible; keep it secret. 4) Check the API endpoints used (api.elections.kalshi.com/trade-api/...) against Kalshi's official API docs to confirm they are legitimate. If you cannot verify the source or these mismatches, treat the skill as untrusted and avoid installing it until the metadata and required dependencies are corrected.

Like a lobster shell, security has layers — review code before you run it.

agentbetsvk97fx7f2c2emt9s1qc6qc5dp8h83kkc8bettingvk97fx7f2c2emt9s1qc6qc5dp8h83kkc8latestvk97fx7f2c2emt9s1qc6qc5dp8h83kkc8openclawvk97fx7f2c2emt9s1qc6qc5dp8h83kkc8prediction-marketsvk97fx7f2c2emt9s1qc6qc5dp8h83kkc8sports-bettingvk97fx7f2c2emt9s1qc6qc5dp8h83kkc8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binscurl, jq

Comments