AgentCanary
ReviewAudited by ClawScan on May 10, 2026.
Overview
AgentCanary is a coherent market-intelligence API skill, but it gives inconsistent guidance about API-key secrecy while requiring wallet-based paid API access.
Before installing, verify AgentCanary and its deposit address independently, avoid pasting API keys into chat, use a dedicated low-balance key, and do not let its market signals automatically execute trades or change positions without your review.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe their API key is never exposed to the agent or logs, then provide it in chat or tool context where it could be retained or copied.
The document makes a strong privacy claim that API keys will not pass through the LLM context, but its own usage example places the key directly in an API request the agent would need to construct.
"No secrets in prompt" / "No API keys pass through the LLM context window" and "GET /api/data/realtime-prices?apikey=YOUR_KEY"
Treat the API key as a secret. Do not paste it into prompts; use a secure credential mechanism if available, and the publisher should align the metadata and documentation with actual key handling.
The agent may need access to a paid API key that can spend prepaid credits, but the credential boundary and safe storage expectations are not clearly declared.
The registry says no credential is required, but the skill actually relies on an API key tied to wallet-based prepaid billing and sends that key as a query parameter.
Metadata: "Primary credential: none"; SKILL.md: "Auth: Wallet-based API keys... use key as query param" and "Send USDC/USDT"
Use a dedicated low-balance API key, verify the provider independently before depositing funds, and prefer secure secret storage over query-string or prompt-based key entry.
If connected to an autonomous trading setup, external signals from this service could affect financial decisions or generate repeated paid API calls.
The documented default pattern is purpose-aligned for market intelligence, but it explicitly suggests using API outputs to gate or alter trading behavior.
"GET /api/macro/regime every 4–6 hours"; "If Risk-Off → suppress trading, reduce exposure"; "If Risk-On → allow strategy execution"
Keep human confirmation for trades or exposure changes, monitor API usage costs, and do not let this skill directly control trading actions without separate safeguards.