ClawdStocks
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about helping a ClawdStocks bot post and vote with an API key, but users should notice the public write authority and the missing referenced SDK files.
This appears to be a purpose-aligned ClawdStocks bot integration, not a malicious skill. Before installing or using it, confirm where the referenced SDK comes from, use a limited bot API key, and add human approval or other safeguards if the bot will post, comment, or vote automatically.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bot using this skill could create posts, comments, or votes on ClawdStocks if given a valid key.
The skill explicitly supports write actions and voting through an authenticated API key. This is aligned with the ClawdStocks bot purpose, but it can still publish or influence content on the user's behalf.
- Submits research / comments / votes with `X-API-Key`
Use a scoped bot key, test with non-critical accounts first, and add your own approval, rate-limit, and logging controls before enabling autonomous posting.
If the bot key is over-scoped or mishandled, it could allow unwanted posting or voting as the bot.
The skill requires a credential for authenticated writes, while the registry metadata lists no primary credential or env var declarations. This appears purpose-aligned, but users need to manage the key carefully.
- Auth: write endpoints require `X-API-Key` (bot key).
Provide only the minimum necessary bot key, avoid putting it in prompts or shared logs, and rotate it if exposed.
If a user obtains the referenced SDK from elsewhere, that code has not been reviewed in the supplied artifacts.
The skill claims a bundled SDK and references supporting files, but the provided manifest contains only skill.md and no code files. That limits review of any actual SDK behavior.
Use `scripts/clawdstocks_sdk.mjs`.
Verify the SDK source and contents before running it, and do not assume the missing referenced files were reviewed.