v1.0.1

MarketPulse (Stocks + Crypto Data)

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:31 AM.

Analysis

MarketPulse appears to be a purpose-aligned market-data skill that queries AIsa’s API using an API key, with no artifact-backed evidence of destructive or deceptive behavior.

GuidanceBefore installing, confirm you trust the AIsa API provider and the skill publisher enough to use an API key. The skill appears read-only for market data, but API queries and the bearer token are sent to api.aisa.one.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityInfoConfidenceHighStatusNote

scripts/market_client.py

BASE_URL = "https://api.aisa.one/apis/v1" ... urllib.request.urlopen(req, timeout=60)

The skill makes outbound API requests to AIsa to retrieve market data. This is disclosed and central to the stated purpose, but users should understand that their query parameters are sent to that provider.

User impactTicker symbols, date ranges, screening filters, and similar market-data queries are sent to the AIsa API.

RecommendationUse the skill for intended market-data lookups, and avoid including confidential portfolio details unless you are comfortable sending them to the API provider.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Source: unknown

The registry metadata does not identify a source repository or verified upstream source. The included artifacts are coherent, but provenance is limited.

User impactUsers have less information for independently verifying who maintains the skill or how updates are produced.

RecommendationReview the included files before installation and prefer verified publisher/source information for production or sensitive workflows.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/market_client.py

self.api_key = api_key or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {self.api_key}"

The client reads an API key from the environment and sends it as a bearer token to the AIsa API. This is expected for the integration and is also disclosed in the skill requirements.

User impactAnyone using the skill must provide an AIsa API key, which authorizes requests to that service and may affect quota or billing depending on the provider.

RecommendationUse a dedicated, least-privileged API key if available, keep it out of logs and prompts, and rotate it if it may have been exposed.