Safety Report

Kalshi Trading

Name: Kalshi Trading
Rating: 5 (7 reviews)
Author: ghsmc

Trade on Kalshi prediction markets: check portfolio, search markets, analyze orderbooks, place/cancel orders, and manage binary contract positions.

995Downloads

2Installs

7Stars

1Versions

Search & Retrieval2,116 E-Commerce1,690 Networking & DNS1,102 Legal & Compliance738

Security Analysis

high confidence

Clean0.04 risk

The skill's requirements, instructions, and included code are consistent with a Kalshi trading CLI: the requested env vars, node runtime, and network calls match the stated purpose and there are no unexplained endpoints or installers.

Feb 14, 20266 files1 concern

Purpose & Capabilityok

Name/description (Kalshi trading) align with required binaries (node), required env vars (API key ID and path to private key), and the code (signing requests, calling Kalshi endpoints). All declared requirements are expected for a signed-requests trading CLI.

Instruction Scopeok

SKILL.md and the scripts limit actions to Kalshi API usage (search, market, orderbook, portfolio, orders, place/cancel orders). The docs explicitly require user confirmation before trades. The runtime instructions do not ask the agent to read unrelated files or contact unexpected external endpoints.

Install Mechanismok

No install spec (instruction-only / bundled scripts). No downloads or archive extraction are requested, so there is no high-risk installer activity.

Credentialsnote

Requires two env vars: KALSHI_API_KEY_ID and KALSHI_PRIVATE_KEY_PATH. These are appropriate and necessary for RSA-PSS signing, but the private key file is highly sensitive—the skill reads it from disk to create signatures. Users should ensure the key file is stored with tight permissions and not shared; only provide keys you intend the CLI to sign requests with.

Persistence & Privilegeok

always is false and the skill does not request persistent or elevated system-wide privileges. It does spawn a child node process (quick-analysis) to call the bundled CLI — this is consistent with the helper script's purpose and not an unexplained privilege escalation.

Guidance

This skill appears to be what it claims: a Node.js CLI for Kalshi that signs requests with an RSA private key. Before installing, (1) verify you trust the skill source and review the included scripts (they are bundled and runnable); (2) keep the private key file secure (chmod 600, store in a restricted path) because the CLI reads it to sign requests; (3) prefer using Kalshi's demo environment for testing (the script defaults to production); (4) confirm trades interactively — SKILL.md requires you to always confirm before placing orders, but the CLI can accept direct args, so your agent or UI must enforce confirmation; and (5) revoke or rotate API keys if you suspect misuse.

Latest Release

v1.0.0

Initial release — full prediction market trading via CLI (search, buy, sell, portfolio, orderbook)

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @ghsmc on ClawHub