DAX Ledger Skills
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only DAX Ledger API skill appears coherent and purpose-aligned, but it uses API credentials and can retrieve sensitive portfolio, transaction, tax, and compliance data.
This skill looks benign based on the provided artifacts and has no code or install-time execution. Before using it, verify that you trust the DAX Ledger domain and publisher, configure API credentials securely, prefer least-privilege credentials, and remember that financial portfolio data returned by the API may appear in the assistant session.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can access whatever DAX Ledger portfolio data the supplied API credentials permit.
The skill requires the user's DAX Ledger API key and secret to authenticate and then uses a bearer token for account API calls. This is expected for the stated API integration, but it is sensitive account authority.
| DAXLEDGER_API_KEY | API key used to authenticate | ... | DAXLEDGER_API_SECRET | API secret used to authenticate |
Use a dedicated least-privilege or read-only API key if available, store secrets securely as environment variables, and revoke the key when no longer needed.
Portfolio values, transaction records, addresses, compliance findings, and tax-related reports may be returned into the assistant session or logs.
The skill sends authenticated requests to the disclosed DAX Ledger service and retrieves sensitive financial, transaction, tax, and compliance information. This is purpose-aligned, but users should notice the external provider data flow.
Base URL https://app.daxledger.io ... Get capital gains report ... List transactions ... Get compliance report
Use the skill only in trusted workspaces, request only the reports you need, and consider redacting sensitive output before sharing or storing it.
Limited provenance makes it harder to independently confirm who published the integration before using API credentials with it.
The skill is instruction-only and has no code install, but its registry provenance is limited. Because the skill uses account credentials, users should verify that the documented DAX Ledger domain and publisher are expected.
Source: unknown; Homepage: none
Verify the DAX Ledger API domain and confirm the publisher before configuring credentials.