kalshi-trading

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill appears coherent with its stated purpose: it implements market queries (unauthenticated) and authenticated portfolio/order operations using RSA-signed headers. No malicious code or obfuscated backdoors were found. The main risks are operational: the code requires a raw private key PEM to be provided at runtime (legitimate for RSA signing but sensitive), and the API_BASE domain (api.elections.kalshi.com) should be validated as the official Kalshi endpoint. Confirm whether the API expects request-body signing; if so, the current signing of only timestamp+method+path may be insufficient for integrity. Overall, the skill is not malicious but requires careful key management and endpoint verification. LLM verification: The provided fragment appears to be a straightforward Kalshi trading API client. No clear signs of malware or intentional backdoors were observed. Primary security concerns are operational: (1) verify the API_BASE domain (api.elections.kalshi.com) matches official Kalshi documentation to rule out typo-squatting, and (2) avoid supplying raw private key PEM into untrusted runtimes — prefer secure key storage or delegated tokens where possible. Also confirm the signing canonicalization with AUTHENT