TradingView Signal Parser
Security checks across malware telemetry and agentic risk
Overview
The parser is simple, but it embeds a SkillPay API key and automatically charges an external billing service whenever it runs.
Do not install until the exposed SkillPay key is rotated and removed, and until billing behavior clearly requires your consent for each paid request. If you do install it, assume each invocation may contact SkillPay and charge the configured per-request fee.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The billing service credential may let someone impersonate the skill or abuse its billing API, creating account and payment risk.
The skill embeds a hardcoded API key used in requests to the SkillPay billing service. A published service credential can be copied or abused outside the intended skill boundary.
const API_KEY = 'sk_4312778b58aa...';
Rotate the exposed key, remove it from the package and documentation, and use platform-managed secrets or environment variables with clearly declared billing permissions.
A mistaken or autonomous invocation could spend SkillPay balance before the user has explicitly confirmed that paid call.
The runtime path performs an external billing charge before parsing the signal. The price is disclosed, but the code does not show an explicit user confirmation or platform-contained billing approval for each charge.
// Charge user first const charge = await chargeUser(userId);
Require clear per-use user approval for paid invocations, use the platform’s billing controls if available, and make failure/refund behavior explicit.
SkillPay can receive identifying usage and billing information for each invocation.
The skill sends the user's platform user_id and skill usage details to an external SkillPay endpoint for billing. This is aligned with the disclosed paid billing feature, but users should be aware of the data flow.
axios.post(BILLING_URL + '/charge', { user_id: userId, skill_id: SKILL_ID, amount: 1 }, { headers })Review SkillPay’s billing/privacy terms and ensure the skill discloses what user identifiers are sent and retained.