kalshi-api
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches market data from official Kalshi API endpoints (
api.elections.kalshi.com). These operations are transparent and consistent with the skill's stated purpose of market validation. - [COMMAND_EXECUTION]: Executes a local Node.js script (
scripts/kalshi-api.mjs) to process data. User-supplied arguments like market tickers are URI-encoded before being included in API requests, preventing manipulation. - [PROMPT_INJECTION]: The skill ingests data from external API responses, which constitutes a surface for indirect instructions.
- Ingestion points: Market and trade data is retrieved via
fetchinscripts/kalshi-api.mjs. - Boundary markers: The skill rules in
SKILL.mdexplicitly restrict activity to read-only market discovery. - Capability inventory: Execution is confined to the local script's defined logic with no capability for system-level persistence or privilege escalation.
- Sanitization: API responses are parsed as JSON and stringified before output to the agent.
Audit Metadata