ClawHub

Tradekix

ReviewAudited by ClawScan on May 10, 2026.

Overview

Tradekix is a coherent market-data API wrapper, but its setup can expose the full stored API key and email in the agent context, so it should be reviewed before use.

Only install if you are comfortable sending signup details to Tradekix and storing a local API key. Avoid running the documented cat command on the config file; use a masked status check instead, and approve upgrade or revoke actions manually.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI03: Identity and Privilege Abuse
What this means

Someone with access to the transcript or logs could see and reuse the Tradekix API key, especially if the key is later upgraded to a paid tier.

Why it was flagged

The setup check prints the same config file that stores the API key, so the full credential and related account information can be pulled into agent context or logs.

Skill content
cat ~/.config/tradekix/config.json 2>/dev/null ... This stores the API key in `~/.config/tradekix/config.json`.
Recommendation

Do not print the config file. Use a file-existence check or the script's masked status output, and rotate the key if it has already been exposed.

Low
#ASI02: Tool Misuse and Exploitation
What this means

The agent could create a paid-upgrade checkout link or revoke the current API key if those commands are invoked.

Why it was flagged

The skill exposes account-affecting commands for Pro checkout creation and API-key revocation. They are disclosed and purpose-related, but should not be run without user intent.

Skill content
bash SKILL_DIR/scripts/tradekix.sh upgrade monthly ... bash SKILL_DIR/scripts/tradekix.sh revoke
Recommendation

Require explicit user confirmation before running upgrade or revoke commands, and verify any checkout URL before payment.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users must rely on the included artifacts and the remote Tradekix API domain without an independently declared source or homepage.

Why it was flagged

The artifacts provide limited provenance for the provider and package source. This is not malicious by itself, but users have less external context for trust decisions.

Skill content
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Recommendation

Verify the provider and API domain before signing up, storing a key, or using paid features.