Kalshi Politics Random Buyer Publish
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may repeatedly use the user's Simmer API key and generate/import market data without the user starting each run manually.
This configures a managed recurring runner every 30 minutes. SKILL.md documents local/manual runs and manual confirmation, so the persistence/background behavior is under-disclosed.
"cron": "*/30 * * * *", "automaton": { "managed": true, "entrypoint": "trade_skill.py" }Install only if you want scheduled automation. The publisher should clearly document the cron behavior and ideally require explicit opt-in for recurring runs.
Even in dry-run mode, the skill can change Simmer-side indexed market state.
The skill uses the Simmer SDK to list Kalshi markets and import selected markets into Simmer. This matches the stated workflow, but import is still a provider-side state change.
markets = client.list_importable_markets(venue="kalshi", q=query, limit=limit) ... result = client.import_kalshi_market(url)
Review generated plans and understand that Simmer imports may occur; avoid running it on accounts where indexing/import side effects are unwanted.
The skill can act through the user's Simmer account according to whatever permissions that API key has.
The skill requires a sensitive service credential. This is expected for Simmer context checks and no hardcoded or leaked secret is shown in the provided artifacts.
`SIMMER_API_KEY` (required): Your Simmer API key.
Use a least-privilege API key if available, rotate it if exposed, and do not provide trading permissions unless needed.
Future or unexpected versions of the dependency could affect what code runs locally.
The skill depends on an external Python package without a pinned version in the provided artifacts. This is expected for the integration but leaves dependency provenance/version control to the installer.
"requires": { "pip": ["simmer-sdk"], "env": ["SIMMER_API_KEY"] }Verify the simmer-sdk package source and consider pinning a reviewed version.
Account balance information could be visible wherever the skill's output or scheduled-run logs are stored.
The skill retrieves account briefing/balance information and includes bankroll in the generated plan. This is purpose-aligned for position sizing, but it may place financial account context into stdout or managed-run logs.
briefing = client.get_briefing() ... "bankroll_usd": round(bankroll, 2)
Treat outputs and logs as sensitive, and avoid running under shared logging environments unless you are comfortable exposing bankroll information.