KTrendz Lightstick Trading
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated trading purpose, but it can place real token trades with a saved API key and contains unsafe handling of remote API responses that could lead to local code execution.
Review this skill carefully before use. Only install it if you trust K-Trendz and are comfortable giving the agent an API key that can trade. Do not use it until the scripts are updated to parse API responses safely and require explicit confirmation before buy or sell actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checking a price could potentially run unintended local code if the API response or upstream news data is malicious or compromised.
A remote API response is interpolated directly into Python source code inside an unquoted here-document. If the provider response or embedded news headline contains crafted characters such as triple quotes, it could break out of the string and execute local Python code.
RESPONSE=$(curl -s -X POST "$BASE_URL/token-price" ...)
...
data = json.loads('''$RESPONSE''')['data']Do not embed API responses into generated Python source. Pass JSON via stdin, an environment variable, or a temporary file, then parse it with json.load/json.loads safely.
If the agent misinterprets a request or runs the command too readily, it can spend funds or change token holdings before the user has a clear final approval inside the tool.
Once invoked, the script proceeds from price lookup to a live buy API call without an in-script confirmation prompt or local enforcement of the documented daily limit.
echo "Executing purchase..."
RESPONSE=$(curl -s -X POST "$BASE_URL/buy" ... -d "{\"artist_name\": \"$ARTIST\", \"max_slippage_percent\": $SLIPPAGE}")Add a required confirmation prompt, dry-run mode, and local validation for slippage and daily trade limits before sending buy or sell requests.
Anyone or any process that can use this saved key may be able to place trades on the user's K-Trendz account.
The skill collects and stores a persistent API key used for trading. The chmod 600 protection is good, but the credential grants account-level trading authority and should be treated as sensitive.
read -sp "API Key: " API_KEY ... "api_key": "$API_KEY", ... chmod 600 "$CONFIG_FILE"
Use a least-privilege API key with explicit trading limits, rotate it if exposed, and ensure users understand where it is stored.
Users have less provenance information to verify that the trading scripts and API endpoint are legitimate.
The registry metadata does not provide a verified source or homepage for a skill that performs financial trading operations.
Source: unknown Homepage: none
Verify the publisher and repository independently before installing, especially before entering a trading API key.