中文 EN

Scan Report

Scan New Files

This report was generated in Chinese. Some content may be in Chinese.
Low Risk — Risk Score 20/100
Last scan:2 hr ago Rescan
20 /100
Kalshalyst
Contrarian prediction market scanner using Claude Sonnet analysis, Brier score calibration, and Kelly Criterion position sizing
预测市场扫描工具,代码质量高、安全实践良好,但存在一处文档-行为差异(未声明的subprocess执行)
Skill NameKalshalyst
Duration51.6s
Enginepi
ClawHub Kalshalyst v1.1.5 by kingmadellc
📥 337 📦 2
ClawHub Verdict Suspicious dynamic_code_executionllm_suspiciousvt_suspicious
Safe to install
建议将 claude_estimator.py 中的 subprocess 调用写入 SKILL.md 文档,消除文档-行为差异

Findings 2 items

Severity Finding Location
Medium
未声明的subprocess执行 Doc Mismatch
scripts/claude_estimator.py 使用 subprocess.run(['claude', '-p', ...]) 调用本地 Claude CLI,但 SKILL.md 只提及 Anthropic API 调用,未声明此执行路径
subprocess.run(["claude", "-p", full_prompt, "--output-format", "text"], capture_output=True, text=True, timeout=timeout, start_new_session=True)
→ 在 SKILL.md 的 Requirements 部分明确说明:'优先使用本地 Claude CLI (Max订阅),失败时回退到 Anthropic API'
 scripts/claude_estimator.py:40
Low
环境变量/配置文件读取 Sensitive Access
_load_anthropic_key() 函数从 ~/.openclaw/.env 读取 API 密钥,这是标准的凭证管理方式,但 SKILL.md 未明确说明
key = os.environ.get("ANTHROPIC_API_KEY") or Path.home() / ".openclaw" / ".env"
→ 在 SKILL.md 的 API Keys 部分补充说明:支持从环境变量或 ~/.openclaw/.env 文件读取密钥
 scripts/claude_estimator.py:57
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned scripts/trade_ledger.py:45, scripts/kalshalyst.py:107
Network READ READ ✓ Aligned scripts/kalshalyst.py:409, scripts/auto_trader.py:409
Shell NONE WRITE ✗ Violation scripts/claude_estimator.py:40-54
11 findings
🔗
Medium External URL 外部 URL
https://kalshi.com
SKILL.md:37
🔗
Medium External URL 外部 URL
https://console.anthropic.com
SKILL.md:43
🔗
Medium External URL 外部 URL
https://polygon.io
SKILL.md:49
🔗
Medium External URL 外部 URL
https://ollama.ai
SKILL.md:62
🔗
Medium External URL 外部 URL
https://status.kalshi.com
SKILL.md:621
🔗
Medium External URL 外部 URL
https://x.com/KingMadeLLC
SKILL.md:732
🔗
Medium External URL 外部 URL
https://api.elections.kalshi.com/trade-api/v2/portfolio/orders/
scripts/auto_trader.py:409
🔗
Medium External URL 外部 URL
https://api.elections.kalshi.com/trade-api/v2/portfolio/positions?limit=1
scripts/kalshalyst.py:152
🔗
Medium External URL 外部 URL
https://api.elections.kalshi.com/trade-api/v2/markets
scripts/kalshalyst.py:456
🔗
Medium External URL 外部 URL
https://api.elections.kalshi.com/trade-api/v2
scripts/kalshalyst.py:854
🔗
Medium External URL 外部 URL
https://api.elections.kalshi.com/trade-api/v2/markets/
scripts/pnl_tracker.py:525

File Tree

17 files · 267.5 KB · 7728 lines
Python 10f · 5392L Markdown 6f · 2332L Text 1f · 4L
├─ 📁 references
│ ├─ 📝 blocklist.md Markdown 368L · 11.4 KB
│ ├─ 📝 brier-schema.md Markdown 524L · 14.1 KB
│ ├─ 📝 contrarian-prompt.md Markdown 274L · 9.6 KB
│ └─ 📝 kelly-math.md Markdown 386L · 10.3 KB
├─ 📁 scripts
│ ├─ 🐍 auto_trader.py Python 883L · 38.4 KB
│ ├─ 🐍 brier_tracker.py Python 346L · 11.2 KB
│ ├─ 🐍 circuit_breaker.py Python 242L · 8.9 KB
│ ├─ 🐍 claude_estimator.py Python 443L · 16.5 KB
│ ├─ 🐍 kalshalyst.py Python 876L · 31.5 KB
│ ├─ 🐍 kelly_size.py Python 275L · 9.1 KB
│ ├─ 🐍 pnl_tracker.py Python 1111L · 39.9 KB
│ ├─ 🐍 qwen_analyzer.py Python 201L · 6.0 KB
│ ├─ 🐍 sports_estimator.py Python 670L · 23.0 KB
│ └─ 🐍 trade_ledger.py Python 345L · 10.8 KB
├─ 📝 README.md Markdown 46L · 2.6 KB
├─ 📄 requirements.txt Text 4L · 70 B
└─ 📝 SKILL.md Markdown 734L · 24.1 KB

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
kalshi-python 1.0.0 pip No 版本锁定
requests 2.32.5 pip No 版本锁定
anthropic 0.18.0 pip No 版本锁定
pyyaml 6.0.3 pip No 版本锁定

Security Positives

✓ 代码结构清晰,模块化设计良好
✓ 凭证处理规范:读取后立即从内存清除 PEM 私钥
✓ API 错误处理完善,fail-loud 模式避免静默失败
✓ 六层安全控制:余额检查、损失限制、仓位限制、暴露限制、对账验证、冗余过滤
✓ 无恶意代码特征:无 base64 执行、无反向 shell、无可疑网络请求、无凭证外传
✓ 依赖版本锁定:requirements.txt 明确指定版本
✓ 数据仅本地存储,未发现 C2 通信或数据外泄
✓ 体育市场硬过滤,排除噪音市场