ClawHub

eToro Apps

v1.0.0

Enables agents to interact with the eToro API to access market data, portfolio and social features, and execute trades programmatically. Supports both OAuth...

1· 408·0 current·0 all-time
byMariano Pardo@marian2js
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (eToro trading client) matches the instructions: API base URL, auth flows (OAuth and API keys), headers, endpoints for demo vs real trading, and examples for placing orders. There are no unrelated environment variables, binaries, or install steps requested that would be unexpected for a trading integration.
Instruction Scope
SKILL.md focuses on calling eToro endpoints and handling tokens/keys. It does reference ctx.accessToken / ctx.apiKey / ctx.userKey (runtime context variables) and says keys are requested from the user at install — the registry metadata lists no required env vars, so keys are expected to be provided interactively at runtime rather than via declared env variables. This is reasonable, but you should confirm how the agent will prompt for and store those credentials. There is a minor technical mix of PKCE flow + sending client_secret in the token exchange that may be a small inaccuracy in the documentation (not a security indicator by itself).
Install Mechanism
No install spec and no code files — instruction-only skill. That minimizes the risk of arbitrary code being written to disk or executed during install.
Credentials
The skill does not declare any required env vars but explicitly requires sensitive credentials at runtime (OAuth access_token or API keys/user key). That is proportional for a trading integration. Because the skill can execute trades, granting it these credentials is high-impact; ensure you only supply demo (virtual) keys for testing and limit permissions (read vs write) as appropriate.
Persistence & Privilege
always:false and no install steps writing persistent binaries/configs. The skill is allowed to be invoked autonomously by the agent (default). Given its ability to execute trades, you should consider restricting autonomous execution or requiring explicit user confirmation before any real trade operations.
Assessment
This SKILL.md appears to be a straightforward eToro API integration and does not request unrelated system access. However, it will need either your OAuth access token or API keys/user key to function — these are powerful credentials that can place real trades. Before installing: - Verify the skill source/owner (confirm you trust kn730v2... and the homepage) and prefer the official eToro portal and OAuth flow. - Test in the demo/virtual environment first (use demo endpoints and demo User Keys). - If you provide API keys, give the minimum permissions (read only) until you need write/trade capabilities; rotate/revoke keys after testing. - Decide whether the agent should be allowed to call this skill autonomously; consider requiring explicit user confirmation for any real trade execution. - Confirm how credentials will be collected and stored by the agent (don’t paste keys into untrusted channels).

Like a lobster shell, security has layers — review code before you run it.

latestvk97ca48gf6xmg45qtpgkmhkm3d81r0q7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis

Comments