kalshi

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill instructs the agent to fetch and interpret publicly-available Kalshi data (e.g., the unauthenticated REST endpoints like GET /markets and /events, /exchange/announcements, and public WebSocket channels such as "trade" and "ticker") which are third-party, user/market-generated content the agent will read as part of its workflow and thus could carry embedded/malicious text that induces indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs agents to "Always consult" the machine-readable index at https://docs.kalshi.com/llms.txt during build/runtime as the single source of truth, so fetching that remote file will directly influence agent prompts/instructions and is presented as a required runtime dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a trading API for a regulated exchange and includes authenticated, write-capable endpoints and protocols for placing and managing trades. Examples include POST /portfolio/orders (Create Order), /portfolio/orders/batched (Batch Create/Cancel Orders), endpoints to amend/cancel/decrease orders, subaccount transfer endpoint (/portfolio/subaccounts/transfer), account balance and portfolio management endpoints, and FIX protocol/SDKs for low-latency order entry. The docs also include signing examples for authenticated requests and an example trading bot (Alph Bot) that performs order execution. These are specific, purpose-built financial execution capabilities (placing/canceling/amending orders and transferring funds/positions), not generic tooling.