Is jthomasdevs/kalshi-agent safe?

https://github.com/openclaw/skills/tree/main/skills/jthomasdevs/kalshi-agent

85
SAFE

The kalshi-agent skill is a straightforward CLI documentation wrapper for the Kalshi prediction markets trading API with no prompt injection, hidden instructions, or observed malicious behavior during installation. The primary risks are (1) a supply chain concern from the unaudited kalshi-cli npm package installed by install.sh (which was not executed during this audit), and (2) the inherent financial risk of granting an AI agent confirmed access to execute real-money trades with a --force bypass that skips human confirmation. No canary files were exfiltrated and the only network activity observed was the expected git clone from GitHub.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 73/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (8)

HIGH Unaudited Global NPM Package Installation -27

install.sh unconditionally runs 'npm install -g kalshi-cli', installing a third-party npm package globally. NPM lifecycle hooks (preinstall, postinstall, install) execute arbitrary code during installation with the invoking user's privileges. The kalshi-cli package was not included in this audit scope and its contents are unknown.

HIGH Real-Money Trading with Confirmation Bypass Flag -25

The skill instructs an agent to use 'kalshi buy' and 'kalshi sell' commands against live prediction markets. The --force flag documented in SKILL.md bypasses the cost/proceeds confirmation prompt. A manipulated or hallucinating agent could place financially damaging orders without any human review step.

MEDIUM RSA Private Key and API Credentials Required by Design -12

The skill metadata declares a hard dependency on ~/.kalshi/private_key.pem (an RSA private key used to sign API requests) and the KALSHI_ACCESS_KEY environment variable. Any agent with this skill loaded has a legitimate declared reason to read these credential files, lowering the bar for credential theft if combined with other skills.

MEDIUM Supply Chain Risk via Unaudited kalshi-cli NPM Package -7

The underlying CLI tool is an external npm package maintained by JThomasDevs. A malicious update or a compromised npm account could introduce credential-harvesting or backdoor behavior in a subsequent install. The skill itself contains no mechanism to pin or verify the package version.

LOW Kalshi API Outbound Data Transmission by Design -6

Normal use of this skill causes the agent to transmit portfolio data, balances, positions, and order details to Kalshi's external API. This is expected and disclosed but represents sensitive financial data leaving the local environment.

LOW Install Script Writes Outside Skill Directory -3

install.sh creates ~/.kalshi/ and writes ~/.kalshi/.env with a template containing placeholder credentials. While the content is benign, the script modifies the user's home directory, which is outside the skill's own directory.

INFO External URLs Embedded in SKILL.md -7

SKILL.md contains links to https://kalshi.com/api and https://docs.kalshi.com/api-reference/ which are injected into the agent's context. These are legitimate documentation URLs but represent content the agent may be instructed to fetch.

INFO Outbound HTTPS Connection to GitHub During Clone -13

A TLS connection to 140.82.121.3:443 (GitHub) was established during the sparse checkout. This is the expected and only external connection made by the installation process.