kalshi-weather-trader

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill fetches external NOAA forecasts from https://api.weather.gov and discovers/imports public Kalshi markets via the Simmer API (e.g., list_importable_markets and GET /api/sdk/markets), then parses market question/outcome text and NOAA data as part of its trading logic—these third‑party texts directly influence buy/sell decisions and trade execution.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a trading bot for Kalshi markets: it describes buying and selling (“Entry: ... → BUY”, “Exit: ... sells”), running live execution commands (python weather_trader.py --live), and uses the Simmer SDK/DFlow on Solana to execute trades. It requires a Solana private key (SOLANA_PRIVATE_KEY) to sign transactions client-side, asks for a SIMMER_API_KEY, references portfolio/positions API endpoints, and documents KYC required for buys. These are specific payment/market-order capabilities (signing and sending blockchain transactions and placing market orders), not generic tooling—therefore it grants direct financial execution authority.