Trade Singal
WarnAudited by ClawScan on May 10, 2026.
Overview
This finance skill uses a simple external API, but its helper script can be abused by a crafted query to run local Python code.
Wait for the search.sh input-handling bug to be fixed before installing or running this skill. If you do use it later, remember that your finance questions are sent to terminal-x.ai and the outputs are investment recommendations, not guaranteed financial outcomes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental query could run commands on the machine or agent environment where the skill executes.
The user-controlled QUERY value is inserted directly into Python source code. A crafted query containing triple quotes can break out of the string and run arbitrary Python commands locally.
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('''$QUERY'''))")Do not run this helper until it is fixed to pass the query as an argument or environment variable to Python, for example using sys.argv, rather than interpolating it into a python -c string.
The skill may fail or behave differently depending on what local binaries are available.
The helper requires python3 and curl even though the registry metadata declares no required binaries. This is an under-declared dependency, not malicious by itself.
python3 -c "import urllib.parse; ..."
curl -sL "https://terminal-x.ai/api/lite-search?query=${ENCODED}"Declare python3 and curl as required binaries, or remove the dependency on local Python by using a safer built-in encoding approach.
If a user includes private portfolio details, account identifiers, or confidential strategy information in the query, that text is sent to the provider.
The user's finance query is sent to the external terminal-x.ai API. This is disclosed and purpose-aligned, but users should understand that their query text leaves the local environment.
curl -sL "https://terminal-x.ai/api/lite-search?query=${ENCODED}"Avoid including secrets or highly sensitive personal/account information in queries unless you trust the provider and its data handling practices.