Trade Signal
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its trading-signal purpose, but its helper script handles search text unsafely, so a specially crafted query could run local Python code.
Install only if you are comfortable sending trading questions to Terminal-X, and avoid using the helper script with untrusted or externally supplied text until the query-encoding code is fixed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or untrusted query passed to the skill could potentially run commands in the user's local agent environment.
The user-controlled query is interpolated directly into a Python -c program inside a triple-quoted string. A crafted query containing Python string delimiters could break out of the string and execute local Python code.
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('''$QUERY'''))")Fix the wrapper to pass the query as an argument or environment variable instead of embedding it in Python source, for example: python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))' "$QUERY".
Financial questions, ticker interests, or portfolio details included in the query leave the local environment and may be visible to the provider or logs handling the request.
The script sends the user's full trading question to an external Terminal-X API endpoint as a URL query parameter.
curl -sL "https://app.terminal-x.ai/api/lite-search?query=${ENCODED}"Avoid including private account details or sensitive portfolio information in prompts unless you are comfortable sharing them with the provider.
The skill may fail or behave differently depending on the local python3 and curl available in the environment.
The registry declares no required binaries, while the included helper script uses python3 and curl. This is an under-declared dependency contract rather than evidence of malicious behavior.
Required binaries (all must exist): none
Declare python3 and curl as required binaries, and run only in an environment where those binaries are trusted.
Users may over-rely on generated trade calls or price targets for financial decisions.
The skill intentionally frames its outputs as authoritative, actionable trading recommendations in a high-stakes financial domain.
specific price targets on any given securities, real-time data and institution-grade trade thesis
Treat outputs as research assistance only, verify sources and market data independently, and avoid trading solely on the skill's recommendation.