open-market-data
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent financial-data CLI skill that installs an external npm tool and may use optional API keys, with no artifact-backed evidence of deceptive or unsafe behavior.
This skill appears safe for its stated purpose. Before installing, verify that you trust the npm package, understand that financial queries go to external providers, and handle any configured API keys as secrets.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill will rely on external npm package code for the `omd` command.
The usable functionality comes from an external Node package rather than code included in the provided artifact set. This is expected for this CLI skill, but it means the user is trusting that package.
[0] node | package: open-market-data | creates binaries: omd
Install only if you trust the package and its linked project; consider checking the npm package and GitHub repository before use.
If configured, the agent may use provider API keys to make financial-data requests on the user’s behalf.
The skill documents optional API keys for financial-data providers. These credentials are purpose-aligned, but they are still account-linked secrets that should be handled carefully.
export FRED_API_KEY=your_key export COINGECKO_API_KEY=your_key export FINNHUB_API_KEY=your_key export ALPHA_VANTAGE_API_KEY=your_key
Use minimally scoped/free-tier API keys where possible, avoid sharing keys in chat, and be cautious with commands such as `omd config show` if they display stored secrets.
Ticker symbols, company searches, or macroeconomic queries may be sent to one or more third-party financial-data services.
Financial queries may be sent to different external data providers through automatic routing and fallback. The behavior is disclosed and controllable with `--source`, but users should notice the data flow.
Commands automatically route to the best available source. If the top source fails or hits its rate limit, it falls back to the next one. Use `--source <name>` to force a specific provider.
Use `--source` when you need to control the provider, and avoid entering sensitive private research terms if you do not want them sent to external APIs.