Crypto & Stock Market Data Pro
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a read-only market-data skill, with disclosed external API calls and a local temporary token file users should be aware of.
This skill looks appropriate for read-only crypto and stock lookups. Before installing, be comfortable with sending requested tickers/searches to api.igent.net and with a local scripts/.token file being created; also consider verifying the publisher because bundled metadata does not match the registry listing exactly.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your market lookup terms are sent to the skill's external market-data provider.
All tools make GET requests to an external provider, sending user-supplied market queries such as tickers, coin IDs, and search terms. This is disclosed and purpose-aligned, but it is a data boundary users should notice.
const BASE_URL = process.env.API_BASE_URL || 'https://api.igent.net/api'; ... const { status, body } = await _httpRequest(parsed.toString(), headers);Use this for public market identifiers and avoid sending private portfolio or account information unless you trust the provider.
A temporary service token may remain on disk after use.
The client automatically obtains a provider token, stores it locally, and reuses it as an API authentication header. This matches SKILL.md's disclosure and does not use user credentials, but it creates a persistent local token file.
const TOKEN_FILE = path.join(__dirname, '.token'); ... fs.writeFileSync(TOKEN_FILE, JSON.stringify(data)); ... 'X-API-Token': token
If you stop using the skill or want to reset access, delete the generated scripts/.token file.
The package identity/version may be confusing when comparing the installed artifact to the registry listing.
The bundled metadata differs from the registry-provided owner, slug, and version. This does not indicate malicious runtime behavior in the provided code, but it is a provenance inconsistency.
"ownerId": "kn7514q7g1cz1cjgh8aryp988980qjsk", "slug": "crypto-market-data", "version": "1.0.2"
Verify the publisher and version if provenance matters for your environment.