ClawHub

optionwhales

PassAudited by ClawScan on May 1, 2026.

Overview

The skill appears to be a disclosed API client for OptionWhales data and AI trade reports, with expected credential and data-sharing considerations.

This skill is reasonable to install if you intend to use OptionWhales option-flow data or AI trade reports. Configure only the credentials you need, verify the separate AI-report endpoint before adding AI_API_TOKEN, and do not provide local order files unless you want that data sent for report generation.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI03: Identity and Privilege Abuse
What this means

If configured, the agent can spend or use the associated API access for option-flow queries and AI report actions.

Why it was flagged

The skill uses API credentials for OptionWhales and optionally for the AI report service. This is expected for the stated purpose, but it gives the agent delegated access to those services.

Skill content
export OPTIONWHALES_API_KEY="ow_free_your_key_here" ... export AI_API_TOKEN="your_bearer_token_here"
Recommendation

Use least-privilege keys, only configure AI_API_TOKEN if you need AI reports, and revoke or rotate tokens if you stop using the skill.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

If an orders file is provided, its contents may be sent to the AI report service along with report-generation metadata.

Why it was flagged

The AI-report helper can send user identifiers and optional order data from a local JSON file to an external AI report provider. This is purpose-aligned, but it crosses a data boundary.

Skill content
API_BASE = "https://ai-service-production-b44b.up.railway.app" ... with open(args.orders_file, "r") as f: orders = json.load(f) ... "large_orders": orders
Recommendation

Only pass order files you intentionally want analyzed, avoid unnecessary personal or account data, and confirm the AI service’s privacy handling before use.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Trust for AI-report credentials and submitted report data extends to this separate hosted service.

Why it was flagged

The AI report feature uses a Railway-hosted endpoint separate from the main optionwhales.io API. It is disclosed, but users should verify it is the intended service endpoint.

Skill content
**AI Report API Base:** https://ai-service-production-b44b.up.railway.app
Recommendation

Verify with OptionWhales or the relevant administrator that this endpoint and bearer-token workflow are legitimate before configuring AI_API_TOKEN.