EntradeX
WarnAudited by ClawScan on May 10, 2026.
Overview
EntradeX is a disclosed DNSE trading CLI skill, but it can execute real trades with sensitive credentials and does not require an explicit confirmation or dry-run step before live trading actions.
Install only if you trust the EntradeX npm package and intend to let the agent help with DNSE trading. Use a limited-permission or test account if possible, keep credentials protected, and require explicit confirmation before any real order placement, modification, or cancellation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could place, change, or cancel real trades if given valid credentials and trading tokens, which could cause financial loss or unwanted account activity.
The skill exposes live order placement, modification, and cancellation commands for a financial trading account. Although this is disclosed, the instructions do not require explicit user confirmation, a dry-run, or another guard before live trade actions.
This skill can place **real trades** using provided credentials ... `entradex trade order ...`; `entradex trade modify ...`; `entradex trade cancel ...`
Use only with explicit user approval for each live trade, confirm account, symbol, side, price, quantity, and order type before execution, and prefer dry-run or a limited-permission/test account where possible.
If these credentials or tokens are exposed or misused, someone may be able to access trading account data or perform trades.
The skill needs DNSE API keys, secrets, and trading tokens to perform its stated trading workflows. This is purpose-aligned, but these credentials authorize sensitive account and trade operations.
Credential priority order: 1. Config file (`~/.entradex-cli/config.json`) ... 2. Environment variables (`DNSE_API_KEY`, `DNSE_API_SECRET`) ... `tradingToken`
Use limited-scope credentials if available, protect the local config file, avoid sharing command logs, clear stored credentials when finished, and rotate keys if misuse is suspected.
A compromised or unexpected npm package version could run local code and handle trading credentials.
The skill relies on installing an external npm package whose executable code is not included in the provided artifacts. This is expected for a CLI wrapper skill, and the skill does advise users to verify the package.
`npm i -g entradex-cli` ... `Verify the npm package: npm view entradex-cli`
Inspect the npm package, verify the author and repository, and consider pinning a trusted version before using it with real trading credentials.