ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Matic Trades

v1.0.0

Matic Trades API — AI toolbox (AI_PICK), Twelve Data (SMART_SEARCH), autonomous charting. Use for stocks, crypto, indicators, charts, news, sentiment. Trigge...

0· 56·0 current·0 all-time
by@ortmind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, README, SKILL.md, and the CLI all consistently describe a trading / charting client for Matic Trades (toolbox AI_PICK, SMART_SEARCH, chart agent). Requiring a MATIC_API_KEY (or alias) is expected. However the registry metadata lists 'Required env vars: none' while SKILL.md and scripts require a key — this mismatch is an incoherence in the packaging/manifest.
Instruction Scope
SKILL.md instructs the agent to run the bundled Python CLI with the user's natural-language prompt only, to parse returned JSON, and to only target MATIC_TRADES_API_BASE paths. The bundled script only reads the API key and optional base URL, posts to the documented endpoints, and prints JSON or error messages. There are no instructions to read unrelated files, other env vars, or to send data to third-party hosts.
Install Mechanism
This is an instruction-only skill with a small included Python script using only stdlib urllib; there is no installer, no downloads, and nothing writes arbitrary code to disk. Low install risk.
!
Credentials
The runtime requires a bearer API key (MATIC_API_KEY or MATIC_TRADES_API_KEY) and optionally MATIC_TRADES_API_BASE — those are proportionate for a hosted API client. The concern is the manifest/registry metadata incorrectly advertises 'no required env vars', which could mislead users/tools about secrets required and where to provide them. Confirm the registry entry before trusting automated installers or permission checks.
Persistence & Privilege
No 'always: true', no install hooks, and the skill does not modify other skills or system settings. Default autonomous invocation is allowed (platform default) but that is not combined here with broad privileges or extra credentials.
What to consider before installing
This skill's code and instructions look consistent with a trading API client and legitimately require a single API key. Before installing: (1) verify and correct the registry metadata so it declares MATIC_API_KEY (or MATIC_TRADES_API_KEY) as required—don't rely on the registry claim of 'no env vars'; (2) ensure any API key you provide has limited scope and can be revoked (use a dedicated key for this skill); (3) confirm the default base URL (https://api.matictrades.com/api/v1) is the official endpoint you expect; (4) test the skill with a non-production key or limited account to observe behavior; (5) if you use automated deployment tools, make sure they surface the required env var so you don't accidentally expose the key. If you need higher assurance, ask the publisher to update the manifest/registry entry and provide a signed/reputable source or homepage.

Like a lobster shell, security has layers — review code before you run it.

latestvk979h3jmv6wtecgacb87f5qafs83c108

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis

Comments