kalshi-trading

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill includes non‑interactive examples that embed API keys/private key material on the command line (e.g., --private-key "$(cat /path/to/key.pem)" and --api-key-id placeholders) and instructs the agent to "show the exact command" before executing, creating a realistic risk the LLM would need to echo secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill's workflows and example bot scripts (SKILL.md/README) instruct the agent to fetch and parse live market data from Kalshi's public API/CLI commands—e.g., "kalshi-cli markets orderbook ... --json", "kalshi-cli markets trades", and "kalshi-cli watch ..."—and then use that untrusted, user-generated market/trade data to make trading decisions and place orders, which could enable indirect prompt injection via manipulated third‑party content.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a trading integration for Kalshi and includes concrete, money-moving commands and flags. It documents authentication with API keys and private keys, a production mode (--prod / KALSHI_API_PRODUCTION) for real USD trading, and many explicit trade-execution commands: placing limit and market orders (kalshi-cli orders create ...), cancelling/amending orders, batch-create orders, accepting RFQs and quotes, subaccount transfers (portfolio subaccounts transfer --amount ...), and order-group operations that change exposure/limits. Those are direct market-order and funds-transfer capabilities (i.e., designed to send transactions and move real money). Therefore it meets the criteria for Direct Financial Execution.