eToro API
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is not clearly malicious, but it can use real eToro keys to place trades and the package does not declare or guard that high-impact authority.
Install only if you are comfortable giving an agent access to eToro. Start with virtual-portfolio or read-only keys, verify the official API documentation, and require explicit approval before any real trade, especially for amount, leverage, instrument, and order direction.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent uses this skill with a real write-enabled key, mistaken or unintended instructions could place real trades and cause financial loss.
The skill documents real trading execution, not only market-data reads. The provided artifacts do not show required confirmations, maximum order sizes, real/demo defaults, or other safeguards before high-impact financial actions.
This skill allows to interact with the user's eToro account programatically, including executing trades. ... POST /trading/execution/market-open-orders/by-amount
Use demo or read-only keys by default, require explicit confirmation for every real trade, and set clear limits for instrument, amount, leverage, and order type.
A user may not realize the skill needs sensitive account keys capable of reading portfolio data or executing trades.
The registry declares no primary credential, while the skill instructions request eToro account credentials that may include real-portfolio write permissions.
Primary credential: none ... Keys (request from the user on install) ... Public API Key ... User Key ... Choose Environment (Real or Virtual/Demo) and Permissions (Read or Write).
Declare the eToro credential requirement explicitly, document the minimum permissions needed, and advise users to prefer read-only or virtual-portfolio keys unless they intentionally need real trading.
Incorrect or outdated API instructions could lead to failed requests or unintended account actions.
The skill points to the eToro API portal but the package source is listed as unknown, so users should verify that the API details and endpoints match official documentation before granting trading access.
Source: unknown; Homepage: https://api-portal.etoro.com/
Verify the skill instructions against official eToro API documentation, especially before using real write-enabled credentials.