Back to skill
Skillv1.0.0
ClawScan security
One API key for real time stock equity pricing data including crypto BTC ETH etc. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:08 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and included client code are consistent with a market-data API client that needs a single AISA_API_KEY and standard network tools.
- Guidance
- This skill appears internally consistent with a market-data client. Before installing, confirm you trust the AIsa provider (api.aisa.one) and the source of your AISA_API_KEY. Use a key with minimal scope and monitor usage/quotas; avoid putting high-privilege or long-lived credentials into third-party skills without verifying the provider and their privacy/retention policies. If you need higher assurance, review the provider's documentation, TLS certs for api.aisa.one, and consider testing with a limited/staging API key first.
Review Dimensions
- Purpose & Capability
- okName/description claim real-time & historical market data; the skill asks only for curl/python3 and AISA_API_KEY and targets api.aisa.one endpoints. The single API key and requested binaries are appropriate and expected for this purpose.
- Instruction Scope
- okSKILL.md contains concrete curl examples and CLI usage for market data endpoints. Instructions reference only the AISA_API_KEY env var and the documented API endpoints; they do not request unrelated files, system state, or extra secrets.
- Install Mechanism
- okNo install spec (instruction-only) and included Python client script — nothing is downloaded from arbitrary URLs or written to unusual locations. Requiring python3/curl is proportionate and low risk.
- Credentials
- okOnly AISA_API_KEY is required (declared as primaryEnv). No unrelated credentials, config paths, or broad-scoped secrets are requested. The skill's code reads that env var and uses it as a bearer token — expected behavior.
- Persistence & Privilege
- okalways:false (not force-included). disable-model-invocation is false (normal); autonomous invocation is allowed but not excessive here. The skill does not attempt to modify other skills or system-wide configs.