ClawHub

Query real-time and historical financial data across equities and crypto prices

Security checks across malware telemetry and agentic risk

Overview

MarketPulse is a disclosed stock and crypto market-data API client, with the main user consideration being that queries and the AISA API key go to AIsa's service.

Install only if you are comfortable using an AISA API key and sending requested tickers, screening filters, and market research parameters to AIsa. Prefer a dedicated key, monitor quota or credit costs, and avoid sending confidential portfolio or trading-strategy details unless that sharing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill metadata declares required binaries and an environment variable, and the content clearly performs authenticated network access to a third-party API, but it does not declare permissions explicitly. This weakens user awareness and platform enforcement around access to secrets and outbound network use, increasing the chance that users invoke the skill without understanding that API credentials and query data will be used externally.

Missing User Warnings

Low
Confidence
96% confidence
Finding
The skill repeatedly instructs users to send authenticated requests with query parameters to api.aisa.one but never warns that prompts, tickers, filters, and usage patterns are transmitted to a third-party service. This is a real privacy/transparency issue because users may assume analysis stays local while the skill is actually a remote API wrapper.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal