ClawHub

EODHD CLI

v1.0.1

Plan, build, review, or extend a stateless Bash CLI wrapper for the publicly documented EODHD API, intended for OpenClaw agents and Clawhub.ai distribution....

0· 296·1 current·1 all-time
by@oscraters
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md, README, agents/openai.yaml, and reference docs consistently describe a Bash+curl CLI that requires EODHD_API_KEY and provides scripts/eodhd as the entrypoint. However the registry-level 'Requirements' summary at the top of the package metadata lists no required env vars and no required binaries, and the actual package file list in this submission does not include the referenced scripts/eodhd file. Requiring an API key and bash/curl is appropriate for the stated purpose, but the mismatch between declared requirements and the provided files is a coherence problem.
Instruction Scope
The SKILL.md instructions are narrowly scoped to building a stateless Bash CLI: they describe auth handling, redaction, exit codes, command surface, and tests. They do not instruct the agent to read unrelated system files or exfiltrate data. The instructions explicitly forbid printing secrets and storing persistent state.
Install Mechanism
This is an instruction-only skill with no install spec, which is low-risk. The included scripts are simple shell smoke/test/check scripts. There is no download/install mechanism that would fetch arbitrary remote code.
!
Credentials
The skill's docs and agents/openai.yaml declare EODHD_API_KEY as the primary required credential (and recommend OpenClaw injection). However the top-level registry 'Requirements' reported with the skill says no required env and no primary credential. This discrepancy is significant: the runtime contract (requires EODHD_API_KEY) is appropriate, but the published metadata failing to list it is incoherent and could lead to misconfiguration or surprising behavior if installed as-is.
Persistence & Privilege
The skill does not request persistent presence (always: false) and the SKILL.md explicitly requires stateless behavior (no config, caches, or token stores). There is no evidence the skill attempts to modify other skills or system-wide settings.
What to consider before installing
Do not install or publish this skill as-is. Key issues to resolve before trusting it: 1) scripts/eodhd (the claimed CLI entrypoint) is referenced throughout the docs and manifest but is missing from the provided file set — request or inspect that file and review its code for networking, endpoints, and any data exfiltration. 2) Fix metadata mismatches: ensure the registry/packaging metadata declares EODHD_API_KEY as a required credential and lists bash/curl as runtime dependencies so deployers know the true runtime contract. 3) Run ./scripts/check-package.sh and ./scripts/test-smoke.sh locally after adding scripts/eodhd; the check script will fail while the entrypoint is missing. 4) Verify the implementation follows the documented redaction rules (dry-run masks, no raw token in logs) and that no hidden endpoints or unexpected environment reads are present. If the owner provides the missing entrypoint and aligns the manifest with the docs, re-evaluate — the current issues look like sloppy packaging rather than intentional malice, but they must be fixed before installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bvkfmtcwnnc390dhayzescd82494z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments