Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tradekix
v1.0.0Query financial market data via the Tradekix API — stock prices, crypto, forex, indices, market news, earnings, economic events, Congressional trades, and social sentiment. Use when the user asks about markets, stock prices, trading data, economic calendars, or financial news. Also handles API key signup and upgrade to Pro.
⭐ 0· 946·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the included wrapper script and API docs. The script implements signup, price/market endpoints, upgrade, and revoke, which align with the stated purpose. No unrelated services or credentials are requested.
Instruction Scope
Runtime instructions and the script operate only against the tradekix.ai API and the local config file (~/.config/tradekix/config.json). They instruct the agent to sign up (POST /connect) and store the returned API key locally. This is within scope, but the automatic signup will transmit an agent name and email to an external service, and the script echoes the full API response to stdout (which may include the API key), potentially leaking secrets into logs/conversation history.
Install Mechanism
No install spec; the skill is instruction-only with an included Bash wrapper. Nothing is downloaded from third-party URLs or written outside the skill's own config directory, so install risk is low.
Credentials
The skill declares no required environment variables or credentials, which matches behavior. However it writes and reads ~/.config/tradekix/config.json (the registry metadata did not declare any required config paths) — a minor metadata inconsistency. Also, automatic signup sends an email and agent name to the external service and stores the returned API key locally; consider whether you want to expose that email/name and API key to the third party.
Persistence & Privilege
The script persists the API key under the user's home (~/.config/tradekix/config.json) and sets file permissions to 600. The skill does not request always: true and does not modify other skills or global agent settings. Persistence is limited to the skill's own config directory, which is expected behavior for an API client.
Assessment
This skill appears to be a straightforward client for tradekix.ai, but before installing consider: 1) Signup will POST agent_name and email to https://www.tradekix.ai/api/v1/connect — don't provide a real personal email or sensitive identifying info if you don't trust the service. 2) The signup flow echoes the API response to stdout (including the returned api_key) — that can leak the key into logs or agent conversation history; treat those outputs as sensitive. 3) The skill stores the API key at ~/.config/tradekix/config.json (chmod 600) — if you share the machine or backups, consider the privacy implications. 4) The registry metadata lacks a homepage/source URL; if you need higher assurance, verify the tradekix.ai service and its owner before use. If you proceed, consider using a throwaway email for signup, inspect network calls in a controlled environment first, and delete the stored key when you no longer need it.Like a lobster shell, security has layers — review code before you run it.
latestvk97bhhe4hmrq4hbknpcvvy1tpd80yp3a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.