ClawHub

IEX Cloud CLI

v1.0.1

Use this skill when a task needs IEX Cloud market data through the REST API (quotes, charts, fundamentals, market lists, and batch calls), including secure t...

0· 342·0 current·0 all-time
by@oscraters
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, registry metadata, SKILL.md, and the included scripts all focus on IEX Cloud REST calls. Required binary (curl) and required env var (IEX_TOKEN) match the implementation; optional jq and IEX_BASE_URL are documented and used only for allowed overrides.
Instruction Scope
SKILL.md instructs the agent to use the provided Bash CLI and OpenClaw secret injection, to avoid hardcoding tokens, and to validate inputs. The runtime script only accesses the declared env vars and enforces limits (trusted hosts, relative raw paths, no query chars in raw path). There are no instructions to read unrelated files or exfiltrate data to third-party endpoints.
Install Mechanism
There is no install spec (instruction-only skill) and included files are plain Bash/Python source in the repo. Nothing is downloaded from arbitrary URLs and no archives are extracted—low install risk.
Credentials
Only IEX_TOKEN (plus a documented compatibility alias IEX_CLOUD_TOKEN and optional IEX_BASE_URL) are requested. These variables are directly required to call the IEX API and are proportionate to the skill's function.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or cross-skill configuration changes. It does not modify other skills' configs or require persistent presence.
Assessment
This skill appears to do what it says: a small Bash CLI that sends your IEX token to the documented IEX Cloud endpoints. Before installing or running: prefer injecting the token via OpenClaw secret refs (skills.entries.iex-cloud.apiKey) rather than exporting it in plaintext; inspect the scripts yourself first; when running locally avoid passing the token via --token on shared systems (it may be visible in process lists/command history); consider using the sandbox base URL with a sandbox token while you validate behavior; rotate tokens if you expose them during testing. The skill enforces trusted hosts and rejects full URLs for raw calls, which reduces but does not eliminate risk—review and run only if you trust the repository/source.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ahyhxzkbjahdg7tbsvmnv0582092z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl
EnvIEX_TOKEN

Comments