Query real-time and historical financial data of equity prices, market moves, metrics, and trends for analysis, alerts, and reporting
AdvisoryAudited by VirusTotal on Apr 14, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-aisa-finance-equity-price-market-data-news Version: 2.0.1 The skill bundle provides a legitimate interface for querying real-time and historical financial data from the AIsa API (api.aisa.one). The Python client (scripts/market_client.py) is a clean implementation using the standard library to perform authenticated HTTP requests, and the instructions in SKILL.md are consistent with the stated purpose of financial research without any signs of malicious intent or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use your AISA API key to make market-data requests, which may expose the key to that provider and may consume account quota or incur provider-side usage costs.
The client uses a provider API key from the environment and sends it as an Authorization header. This is expected for the stated AIsa market-data API purpose, but it is still credential-bearing access.
self.api_key = api_key or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {self.api_key}"Use a dedicated AISA key with the minimum necessary access, monitor usage, and avoid setting the key globally when you do not want agents to use it.
When used, the skill will send selected ticker/query parameters to the AIsa API and retrieve market-data responses.
The skill documents direct authenticated network calls to the AIsa API. These calls are purpose-aligned and user-directed examples, but they are external API operations performed by the agent.
curl "https://api.aisa.one/apis/v1/financial/prices?ticker=AAPL&interval=day..." -H "Authorization: Bearer $AISA_API_KEY"
Review the query the agent is about to run when using sensitive watchlists or large screens, and set reasonable limits on broad market scans.
The registry may not prompt you for the API key or local tools even though the skill documentation and script need them.
SKILL.md declares runtime dependencies and an API key, while the supplied registry metadata lists no required binaries, env vars, or primary credential. This is an under-declared registry contract, not evidence of hidden execution.
metadata: {"aisa":{"requires":{"bins":["curl","python3"],"env":["AISA_API_KEY"]},"primaryEnv":"AISA_API_KEY"Confirm you have python3/curl available and intentionally provide AISA_API_KEY only when you want this skill to access the AIsa service.