dapp-kalshi
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to install and update the
plugin-storeutility by piping a remote script from a personal GitHub repository directly into the shell (curl -sSL ... | sh). This is a high-risk pattern that allows for arbitrary code execution from a remote source. - [CREDENTIALS_UNSAFE]: The skill is designed to handle sensitive authentication materials, specifically
KALSHI_PRIVATE_KEY_PEM(RSA private keys) andKALSHI_KEY_ID, which are required for trading operations. - [COMMAND_EXECUTION]: The skill relies extensively on executing the
plugin-storeCLI with multiple parameters and subcommands, including financial actions like buying and selling contracts. - [DATA_EXFILTRATION]: The skill interacts with sensitive local files and configuration directories (
~/.plugin-store/), creating a risk surface for exposing API keys or session data if the underlying CLI tool is compromised. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted market data (search results, event titles) from the Kalshi API and interpolates this data into commands without explicit boundary markers or sanitization logic.
- [METADATA_POISONING]: There is a discrepancy in authorship; the skill metadata claims the author is "okx", whereas the account publishing the skill is "purong-huang-1121".
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install.sh - DO NOT USE without thorough review
Audit Metadata