Back to skill
Skillv1.0.1
ClawScan security
IEX Cloud CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 28, 2026, 3:49 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, docs, and runtime instructions are coherent with its stated purpose (IEX Cloud API access) and request only the expected tools and token.
- Guidance
- This skill appears to do what it says: a small Bash CLI that sends your IEX token to the documented IEX Cloud endpoints. Before installing or running: prefer injecting the token via OpenClaw secret refs (skills.entries.iex-cloud.apiKey) rather than exporting it in plaintext; inspect the scripts yourself first; when running locally avoid passing the token via --token on shared systems (it may be visible in process lists/command history); consider using the sandbox base URL with a sandbox token while you validate behavior; rotate tokens if you expose them during testing. The skill enforces trusted hosts and rejects full URLs for raw calls, which reduces but does not eliminate risk—review and run only if you trust the repository/source.
Review Dimensions
- Purpose & Capability
- okName/description, registry metadata, SKILL.md, and the included scripts all focus on IEX Cloud REST calls. Required binary (curl) and required env var (IEX_TOKEN) match the implementation; optional jq and IEX_BASE_URL are documented and used only for allowed overrides.
- Instruction Scope
- okSKILL.md instructs the agent to use the provided Bash CLI and OpenClaw secret injection, to avoid hardcoding tokens, and to validate inputs. The runtime script only accesses the declared env vars and enforces limits (trusted hosts, relative raw paths, no query chars in raw path). There are no instructions to read unrelated files or exfiltrate data to third-party endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only skill) and included files are plain Bash/Python source in the repo. Nothing is downloaded from arbitrary URLs and no archives are extracted—low install risk.
- Credentials
- okOnly IEX_TOKEN (plus a documented compatibility alias IEX_CLOUD_TOKEN and optional IEX_BASE_URL) are requested. These variables are directly required to call the IEX API and are proportionate to the skill's function.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or cross-skill configuration changes. It does not modify other skills' configs or require persistent presence.