MarketPulse Financial Data
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: aisa-market-skill Version: 1.0.2 The MarketPulse skill bundle is a legitimate financial data integration for the AIsa API (api.aisa.one). The Python client (scripts/market_client.py) uses standard libraries to perform authenticated requests for stock and cryptocurrency data, and the SKILL.md instructions correctly guide the agent on how to use these tools without any evidence of prompt injection, data exfiltration, or malicious execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume or expose usage under your AIsa API account, depending on that provider's billing and access controls.
The client reads an API key from the environment and uses it to authenticate requests to the AIsa service. This is expected for a market-data API client, but it is still credentialed account access.
self.api_key = api_key or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {self.api_key}"Use a dedicated, least-privileged AIsa API key if available, avoid sharing the key in prompts or logs, and monitor provider usage.
Ticker symbols, filters, and requested market-research topics may be visible to the AIsa API provider.
The skill documents direct curl calls to an external API using the user's API key. The calls are scoped to the advertised financial-data purpose, but users should be aware that queries are sent to an external service.
curl "https://api.aisa.one/apis/v1/financial/prices?ticker=AAPL..." \ -H "Authorization: Bearer $AISA_API_KEY"
Only submit market queries you are comfortable sending to the provider, especially if your portfolio or research interests are sensitive.
You have less information for independently verifying who maintains the skill and whether the included client matches the advertised service.
The artifact metadata does not identify a source repository or package provenance. This is not evidence of malicious behavior, but it reduces provenance clarity for a credential-using integration.
Source: unknown
Confirm that the skill and api.aisa.one are the intended provider before adding an API key.