Global Market Feed
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward QuoteNode market-data skill that uses a user-provided API key and sends constrained HTTPS requests to datatk endpoints.
Before installing, confirm you trust the QuoteNode/dataTrack service, place only the intended endpoint and API key in env.json, and be aware that API calls may consume your quota. The reviewed code does not show hidden exfiltration, destructive actions, persistence, or unrelated access.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can make market-data API requests using the configured key, potentially consuming quota or rate limits.
The skill exposes a flexible API caller rather than one fixed quote command. This is purpose-aligned for a market-data API, and the included code restricts calls to datatk HTTPS hosts and /Api/ paths, but users should understand the agent may invoke different QuoteNode REST endpoints.
`scripts/request.mjs`: generic POST caller for any REST endpoint.
Use a provider key with appropriate limits, monitor usage, and ask the agent to show the endpoint and request body before unusual or high-volume queries.
Anyone with access to the local env.json may be able to use the QuoteNode API key, and agent calls may consume the account's API quota.
The script reads a local configuration file and sends the configured API key in the X-API-KEY header. This is expected for QuoteNode access and no credential leakage to unrelated destinations is shown.
const configPath = join(scriptDir, '..', 'env.json'); ... 'X-API-KEY': ak
Keep env.json private, use a scoped or limited API key if available, and rotate the key if the file is exposed.