Skillv0.0.2

ClawScan security

Tradealpha Realtime News · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 28, 2026, 2:09 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and required credential (TradeAlphaToken) are consistent with its stated purpose of calling https://quantaccess.lxaa.top/api/v1/news/realtime_news; nothing in the package requests unrelated secrets or performs unexpected actions.
Guidance: This package appears internally consistent, but before installing: (1) verify you trust the endpoint https://quantaccess.lxaa.top because your TradeAlphaToken will be sent there (in both Authorization header and JSON body); (2) ensure you only provide a token with the minimal necessary privileges and avoid sharing high-privilege credentials; (3) confirm your runtime has a recent Node version (the script uses fetch); and (4) if you need extra assurance, review the included get-realtime-news.js yourself — it is short and readable and shows the exact network request being made.

Purpose & Capability: okName/description, required binary (node), declared primaryEnv (TradeAlphaToken), and the API endpoint (quantaccess.lxaa.top) all match the implemented script and SKILL.md; there are no unrelated credentials or binaries requested.
Instruction Scope: okSKILL.md instructs only running the included Node script, filling parameters from user language, and returning the API's response. The instructions explicitly limit behavior (only read TradeAlphaToken, post to the listed URL, do not echo the token) and do not ask to read unrelated files or environment variables.
Install Mechanism: okNo install spec — instruction-only with one included script. This is low-risk: nothing is downloaded from third-party URLs or installed system-wide.
Credentials: okOnly a single credential (TradeAlphaToken) is required and it is used by the script to authenticate to the declared API. No other secrets or config paths are requested.
Persistence & Privilege: okThe skill does not request always:true or any elevated persistent presence, and it does not modify other skills or system settings.