MarketPulse Financial Data

Security checks across malware telemetry and agentic risk

Overview

MarketPulse is a straightforward financial-data lookup skill that sends user-requested market queries to a disclosed AIsa API using a disclosed API key.

Install only if you trust AIsa/OpenClaw with your API key and the market queries you submit. Use a dedicated or scoped API key if available, avoid pasting the key into prompts or logs, and remember that API usage may reveal ticker/portfolio-like interests to the provider and may incur costs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill metadata declares required binaries and an environment variable API key, and the documentation clearly instructs making outbound HTTPS requests, but there is no explicit permissions declaration surfaced to users. This creates a transparency and consent problem: users may not realize the skill can access credentials and transmit data over the network.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The documentation repeatedly shows use of `AISA_API_KEY` in Authorization headers and instructs users to export it, but it does not warn that the key is transmitted to a third-party service or advise on safe handling. While standard for API clients, omission of credential-handling guidance increases the chance of accidental leakage, misuse, or uninformed secret sharing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal