ClawHub
Back to skill
v1.0.1

optionwhales

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:20 AM.

Analysis

The skill appears to be a disclosed API client for OptionWhales data and AI trade reports, with expected credential and data-sharing considerations.

GuidanceThis skill is reasonable to install if you intend to use OptionWhales option-flow data or AI trade reports. Configure only the credentials you need, verify the separate AI-report endpoint before adding AI_API_TOKEN, and do not provide local order files unless you want that data sent for report generation.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
README.md
**AI Report API Base:** https://ai-service-production-b44b.up.railway.app

The AI report feature uses a Railway-hosted endpoint separate from the main optionwhales.io API. It is disclosed, but users should verify it is the intended service endpoint.

User impactTrust for AI-report credentials and submitted report data extends to this separate hosted service.
RecommendationVerify with OptionWhales or the relevant administrator that this endpoint and bearer-token workflow are legitimate before configuring AI_API_TOKEN.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
export OPTIONWHALES_API_KEY="ow_free_your_key_here" ... export AI_API_TOKEN="your_bearer_token_here"

The skill uses API credentials for OptionWhales and optionally for the AI report service. This is expected for the stated purpose, but it gives the agent delegated access to those services.

User impactIf configured, the agent can spend or use the associated API access for option-flow queries and AI report actions.
RecommendationUse least-privilege keys, only configure AI_API_TOKEN if you need AI reports, and revoke or rotate tokens if you stop using the skill.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/aireport.py
API_BASE = "https://ai-service-production-b44b.up.railway.app" ... with open(args.orders_file, "r") as f: orders = json.load(f) ... "large_orders": orders

The AI-report helper can send user identifiers and optional order data from a local JSON file to an external AI report provider. This is purpose-aligned, but it crosses a data boundary.

User impactIf an orders file is provided, its contents may be sent to the AI report service along with report-generation metadata.
RecommendationOnly pass order files you intentionally want analyzed, avoid unnecessary personal or account data, and confirm the AI service’s privacy handling before use.