Back to skill
Skillv1.0.0
ClawScan security
Tradekix · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:28 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with a Tradekix API client: it signs up for an API key, saves it to ~/.config/tradekix/config.json, and calls the listed endpoints — nothing obviously malicious, but there are a few privacy/usability issues and minor metadata inconsistencies to note before installing.
- Guidance
- This skill appears to be a straightforward client for tradekix.ai, but before installing consider: 1) Signup will POST agent_name and email to https://www.tradekix.ai/api/v1/connect — don't provide a real personal email or sensitive identifying info if you don't trust the service. 2) The signup flow echoes the API response to stdout (including the returned api_key) — that can leak the key into logs or agent conversation history; treat those outputs as sensitive. 3) The skill stores the API key at ~/.config/tradekix/config.json (chmod 600) — if you share the machine or backups, consider the privacy implications. 4) The registry metadata lacks a homepage/source URL; if you need higher assurance, verify the tradekix.ai service and its owner before use. If you proceed, consider using a throwaway email for signup, inspect network calls in a controlled environment first, and delete the stored key when you no longer need it.
Review Dimensions
- Purpose & Capability
- okName/description match the included wrapper script and API docs. The script implements signup, price/market endpoints, upgrade, and revoke, which align with the stated purpose. No unrelated services or credentials are requested.
- Instruction Scope
- noteRuntime instructions and the script operate only against the tradekix.ai API and the local config file (~/.config/tradekix/config.json). They instruct the agent to sign up (POST /connect) and store the returned API key locally. This is within scope, but the automatic signup will transmit an agent name and email to an external service, and the script echoes the full API response to stdout (which may include the API key), potentially leaking secrets into logs/conversation history.
- Install Mechanism
- okNo install spec; the skill is instruction-only with an included Bash wrapper. Nothing is downloaded from third-party URLs or written outside the skill's own config directory, so install risk is low.
- Credentials
- noteThe skill declares no required environment variables or credentials, which matches behavior. However it writes and reads ~/.config/tradekix/config.json (the registry metadata did not declare any required config paths) — a minor metadata inconsistency. Also, automatic signup sends an email and agent name to the external service and stores the returned API key locally; consider whether you want to expose that email/name and API key to the third party.
- Persistence & Privilege
- noteThe script persists the API key under the user's home (~/.config/tradekix/config.json) and sets file permissions to 600. The skill does not request always: true and does not modify other skills or global agent settings. Persistence is limited to the skill's own config directory, which is expected behavior for an API client.