ClawHub

msx-trading

v1.0.0

Trade security tokens on the MSX platform — check balances, place orders, view market data, and review trade history.

0· 67·0 current·0 all-time
bysss3000@seineruo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (trade on MSX: balances, orders, market data, history) map directly to the provided module files which document the corresponding API endpoints. Requiring an MSX API key is expected and proportional. Minor note: the registry summary shows a serialization artifact ('Required env vars: [object Object]') and the published homepage uses a placeholder GitHub URL (YOUR_USERNAME), which suggests the source/homepage metadata may be incomplete but does not change the functional coherence.
Instruction Scope
SKILL.md and the module files only instruct the agent to call API endpoints on https://api.msx.com/v1 using the X-API-KEY header. The instructions do not ask the agent to read arbitrary files, other environment variables, or send data to unexpected endpoints. Order-safety rules enforce explicit user confirmation before placing orders, which reduces risk of unintended trades.
Install Mechanism
No install spec and no code files — instruction-only skill. That is low-risk because nothing is written to disk or downloaded at install time.
Credentials
The only required credential documented in SKILL.md is MSX_API_KEY, which is appropriate for an API-based trading skill. There are no unrelated environment variables, secrets, or config paths requested. The registry metadata inconsistency (missing explicit primary credential entry and the '[object Object]' artifact) is a data-quality issue but does not indicate extra credential requests in the runtime instructions.
Persistence & Privilege
always is false and model invocation is allowed (default). The skill does not request permanent system presence, nor does it modify other skills or system-wide settings. Autonomous invocation is normal; combined with the other clean signals there are no additional persistence concerns.
Scan Findings in Context
[no-findings] expected: The regex scanner found nothing to analyze because this is an instruction-only skill (no executable code). That is consistent with the low-risk install model here.
Assessment
This skill appears internally consistent, but before enabling it: 1) Verify the API base URL (https://api.msx.com) is the official MSX endpoint and that the published homepage/source repository is legitimate (the current homepage field looks like a placeholder). 2) Use an API key with least privilege (read-only or restricted trading scope if available) and consider testing with a sandbox/test account. 3) Confirm you are comfortable granting the skill the ability to place/cancel orders — the skill requires an API key that can perform trading actions if the key has those permissions. 4) Keep the MSX_API_KEY secret (the skill explicitly warns not to log or expose it). 5) If you need stronger assurance, ask the publisher for a real repository URL or source code and verify the key-scope requirements there.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b7vje9y8jq433eydd6bzjj583kx2a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Env[object Object]

Comments