中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
kalshi-paper-trading
Kalshi-native paper trading ledger and CLI for binary prediction contracts. Use for paper opens, marks, reconciliation, valuation, and review without relying on the generic spot-style paper trader.
A clean, well-structured Kalshi paper trading ledger implemented in pure TypeScript using Node.js built-ins and node:sqlite, with no malicious indicators, no credential harvesting, no obfuscation, and declared network access to an official Kalshi API endpoint.
技能名称kalshi-paper-trading
分析耗时30.3s
引擎pi
可以安装
Approve for use. The skill performs exactly as documented — paper trading ledger management with optional live market sync from api.elections.kalshi.com.

安全发现 1 项

严重性 安全发现 位置
低危
allowed-tools metadata not populated 文档欺骗
SKILL.md declares no allowed-tools mapping. The actual capabilities (network:READ to Kalshi API, filesystem:WRITE to local DB) are implied by command examples but not formally listed. This is a documentation hygiene issue with no security impact.
metadata: openclaw: { emoji, requires: { bins: [node] } }
→ Add allowed-tools section to SKILL.md metadata: network:READ, filesystem:WRITE, database:WRITE, environment:READ
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✓ 一致 scripts/kalshi_paper.ts:233 — stores SQLite DB to ~/.openclaw/
网络访问 NONE READ ✓ 一致 SKILL.md lines 51-55 — sync-market and buy-from-market commands fetch from api.e…
数据库 NONE WRITE ✓ 一致 scripts/kalshi_paper.ts:233 — SQLite DatabaseSync for local ledger
命令执行 NONE NONE No subprocess/spawn in scripts/kalshi_paper.ts — tests use spawn only
环境变量 NONE READ ✓ 一致 scripts/kalshi_paper.ts:225 — reads optional KALSHI_BASE_URL env var
技能调用 NONE NONE No cross-skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
2 项发现
🔗
中危 外部 URL 外部 URL
https://docs.kalshi.com
SKILL.md:4
🔗
中危 外部 URL 外部 URL
https://api.elections.kalshi.com/trade-api/v2
scripts/kalshi_paper.ts:221

目录结构

4 文件 · 61.7 KB · 2146 行
TypeScript 1f · 1274L Markdown 2f · 481L JavaScript 1f · 391L
├─ 📁 references
│ └─ 📝 kalshi-paper-ledger.md Markdown 370L · 7.9 KB
├─ 📁 scripts
│ └─ 📜 kalshi_paper.ts TypeScript 1274L · 38.5 KB
├─ 📁 tests
│ └─ 📜 kalshi_paper.test.mjs JavaScript 391L · 12.1 KB
└─ 📝 SKILL.md Markdown 111L · 3.1 KB

依赖分析 3 项

包名版本来源已知漏洞备注
node:sqlite builtin node Node.js built-in — no external package dependency
node:fs builtin node Node.js built-in for SQLite DB directory creation
node:crypto builtin node Node.js built-in for UUID generation

安全亮点

✓ Pure Node.js built-ins only (node:crypto, node:fs, node:sqlite, node:os, node:path) — zero external dependencies
✓ No credential harvesting — KALSHI_BASE_URL is an optional, named, documented override
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env enumeration)
✓ No obfuscation — all code is plain TypeScript, no eval, no atob, no base64 execution
✓ No remote script execution (no curl|bash, no wget|sh)
✓ Local SQLite database scoped to ~/.openclaw/kalshi-paper.db — no system-wide writes
✓ Network calls limited to one official, hardcoded Kalshi API endpoint
✓ Append-only execution log with average-cost accounting — no speculative state mutation
✓ Comprehensive unit tests with in-process HTTP server mocking