Back to skill
Skillv1.0.0
ClawScan security
Idx Market Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 3:20 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are coherent with its stated purpose (fetching IDX data via GoAPI); it only needs a GoAPI API key and is instruction-only with no installs or extra privileges.
- Guidance
- This skill appears to do what it claims: call GoAPI endpoints for IDX data and needs one API key (GOAPI_KEY). Before installing: 1) Confirm you obtain the key directly from GoAPI (goapi.io) and use a key with limited permissions/rate limits. 2) Note that SKILL.md instructs sending the key as a query parameter (api_key=...), which is how GoAPI is documented here but is less private than an Authorization header—query parameters can end up in logs or referrers, so avoid using a highly privileged key. 3) Expect the agent to include GOAPI_KEY in outgoing HTTP requests; ensure your platform's logs/network policies are acceptable. 4) There is a small metadata mismatch (registry says no env vars but SKILL.md requires GOAPI_KEY) and the package has no homepage or author info—if provenance matters, verify the author/source before trusting keys. 5) Rotate the key if you stop using the skill and restrict the key's scope where possible.
Review Dimensions
- Purpose & Capability
- okThe skill's name/description (IDX market data via GoAPI) matches the instructions and the single required credential (GOAPI_KEY). There are no unrelated binaries, services, or permissions requested.
- Instruction Scope
- okSKILL.md only instructs the agent to call GoAPI endpoints, lookup symbols, format output, and report API errors. It does not request reading local files, other environment variables, or transmitting data to unrelated endpoints.
- Install Mechanism
- okNo install specification or code files are present (instruction-only), so nothing will be written to disk or fetched at install time.
- Credentials
- noteThe skill legitimately requires a single API key (GOAPI_KEY). Minor inconsistency: registry metadata lists 'Required env vars: none' while also listing a required config path GOAPI_KEY; SKILL.md clearly instructs the user to set GOAPI_KEY as an environment variable. This is a documentation/metadata mismatch but not a functional overreach.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent platform privileges. It is allowed to be invoked autonomously by default (normal behavior) but does not request additional system-wide access.