Scan Report
0 /100
kalshi-api
Read-only Kalshi API skill for market discovery, liquidity checks, and market validation
A minimal, read-only Kalshi API market-data fetcher with no external dependencies, no credential access, no file writes, and fully declared behavior in SKILL.md.
Safe to install
Approve for use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No filesystem access found in kalshi-api.mjs |
| Network | READ | READ | ✓ Aligned | Only GET requests to api.elections.kalshi.com, declared in SKILL.md |
| Shell | NONE | NONE | — | No shell execution; only node process.argv for CLI argument parsing |
| Environment | NONE | NONE | — | KALSHI_BASE_URL read is a legitimate, documented optional override for the API b… |
| Skill Invoke | NONE | NONE | — | No skill invocation found |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | No database access |
2 findings
Medium External URL 外部 URL
https://docs.kalshi.com SKILL.md:4 Medium External URL 外部 URL
https://api.elections.kalshi.com/trade-api/v2 SKILL.md:65 File Tree
3 files · 9.0 KB · 310 lines JavaScript 2f · 236L
Markdown 1f · 74L
├─
▾
scripts
│ └─
kalshi-api.mjs
JavaScript
├─
▾
tests
│ └─
kalshi-api.test.mjs
JavaScript
└─
SKILL.md
Markdown
Security Positives
✓ No external npm/pip dependencies — self-contained 190-line vanilla JS script
✓ No credential harvesting — only an optional KALSHI_BASE_URL env override, clearly documented
✓ Only GET requests to the declared Kalshi API domain — no data exfiltration
✓ Read-only design enforced in code: no order placement, no writes, no state mutations
✓ Clean doc-to-code match: SKILL.md accurately describes all behavior
✓ spawnSync usage in tests is limited to local CLI smoke-testing and is not exported from the main script
✓ No obfuscation, no base64, no eval, no hidden instructions