Crypto Market Data Skill (No Key Required)
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it says—query a market-data API—but users should notice that it contacts an external provider and caches a provider token locally.
This looks safe to use for public crypto and stock market lookups. Before installing, be comfortable with requests going to api.igent.net and with a temporary provider token being stored in the skill's scripts directory.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less external provenance information to verify who maintains the skill or the associated service.
The skill's registry metadata does not provide an upstream source or homepage, so provenance is limited even though the included source code is small and dependency-free.
Source: unknown; Homepage: none
Review the included code and only install if you trust the publisher and the api.igent.net service.
The market-data provider can see the symbols and search terms you request, along with normal request metadata.
The skill sends requested coin IDs, stock symbols, currencies, and search terms as query parameters to an external API provider; the destination can also be changed via API_BASE_URL.
const BASE_URL = process.env.API_BASE_URL || 'https://api.igent.net/api'; ... parsed.searchParams.set(key, value);
Use the default endpoint unless you intentionally trust another API_BASE_URL, and avoid entering non-market sensitive information as search text.
This is not a user-supplied API key, but it is credential-like local state that could be reused until it expires if someone else can read the skill directory.
The API client automatically obtains a provider token and stores it in a hidden local .token file for reuse.
const TOKEN_FILE = path.join(__dirname, '.token'); ... fs.writeFileSync(TOKEN_FILE, JSON.stringify(data));
Keep the skill directory private and delete scripts/.token if you want to clear the cached provider session.