ClawHub

Kalshi Event Contract Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Kalshi market-data helper with disclosed API-key use and no trading, persistence, or hidden behavior.

Install only if you are comfortable letting the agent make authenticated read-only Kalshi API requests with your API key. Prefer a dedicated or least-privilege key if available, keep the key out of chat/logs, and verify future edits do not add order-placement or account-management endpoints.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Low
Confidence
93% confidence
Finding
The skill instructs use of an authenticated Bearer token in outbound requests to an external Kalshi API but does not explicitly disclose that the user's API key will be transmitted to a third-party service. This is a real but low-severity issue because the transmission is inherent to the skill's purpose and appears directed to the expected vendor, yet users should be clearly warned about credential use and data flow.

External Transmission

Medium
Category
Data Exfiltration
Content
Browse events with optional category filtering:

```bash
curl -s "https://api.elections.kalshi.com/trade-api/v2/events?status=open&limit=50" \
  -H "Authorization: Bearer $KALSHI_API_KEY" \
  | jq '[.events[] | {
    ticker: .event_ticker,
Confidence
89% confidence
Finding
https://api.elections.kalshi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
To filter by category (e.g., sports):

```bash
curl -s "https://api.elections.kalshi.com/trade-api/v2/events?status=open&limit=50&series_ticker=SPORTS" \
  -H "Authorization: Bearer $KALSHI_API_KEY" \
  | jq '[.events[] | {
    ticker: .event_ticker,
Confidence
89% confidence
Finding
https://api.elections.kalshi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Fetch current Yes/No prices, volume, and status for a specific event's markets. Replace EVENT_TICKER with the event ticker from operation 1:

```bash
curl -s "https://api.elections.kalshi.com/trade-api/v2/events/EVENT_TICKER" \
  -H "Authorization: Bearer $KALSHI_API_KEY" \
  | jq '{
    event: .event.title,
Confidence
90% confidence
Finding
https://api.elections.kalshi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
After fetching prices, convert to American odds for sportsbook comparison:

```bash
curl -s "https://api.elections.kalshi.com/trade-api/v2/events/EVENT_TICKER" \
  -H "Authorization: Bearer $KALSHI_API_KEY" \
  | jq -r '.event.markets[] | "\(.subtitle)\t\(.last_price)"' \
  | python3 -c "
Confidence
90% confidence
Finding
https://api.elections.kalshi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
View resting orders to assess liquidity for a specific market. Replace MARKET_TICKER with the market ticker from operation 2:

```bash
curl -s "https://api.elections.kalshi.com/trade-api/v2/markets/MARKET_TICKER/orderbook" \
  -H "Authorization: Bearer $KALSHI_API_KEY" \
  | jq '{
    ticker: .ticker,
Confidence
90% confidence
Finding
https://api.elections.kalshi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
See the last trades executed on a market for momentum and volume analysis:

```bash
curl -s "https://api.elections.kalshi.com/trade-api/v2/markets/MARKET_TICKER/trades?limit=20" \
  -H "Authorization: Bearer $KALSHI_API_KEY" \
  | jq '[.trades[] | {
    time: .created_time,
Confidence
90% confidence
Finding
https://api.elections.kalshi.com/

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal