ClawHub
Back to skill
v1.0.0

x trade

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:17 AM.

Analysis

This is a coherent trading skill with no hidden code, but it needs review because it uses a personal trading API key and can place or cancel financial orders.

GuidanceReview this carefully before installing. Only use it with a trusted X Trading account and a narrowly scoped API key. If you only need balances or market data, use a read-only key. Do not enable trading permissions unless you want the agent to help place or cancel orders, and require explicit confirmation for every financial action.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
api-orders.md
Before calling POST /orders, always: ... Wait for explicit confirmation ... ## DELETE /orders/{order_id} — Cancel an order

The artifacts correctly require confirmation before placing orders, but the separate cancel-order operation is also a high-impact account mutation and lacks a matching explicit confirmation rule.

User impactA mistaken or over-broad interpretation of a request could cancel an open order or execute a trade workflow with financial consequences.
RecommendationRequire explicit user confirmation for every order placement and cancellation, show symbol, side, quantity, price, estimated value, and account impact before any mutation, and consider platform-side trading limits.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata
Source: unknown

The skill is instruction-only and has no code install path, but its provenance is not clearly established while it asks users to connect a financial trading account.

User impactUsers have less assurance that the documented API endpoint and skill source are legitimate before providing a trading credential.
RecommendationVerify the publisher, homepage, and X Trading API domain independently before setting any API key.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
All requests require the following header: X-API-KEY: {X_TRADING_API_KEY}

The skill uses a personal trading API key for all requests, giving the agent delegated access to account and trading functions.

User impactIf the API key has trading permissions, the agent may be able to view financial account data and authorize real order actions.
RecommendationUse the narrowest possible API key scope, prefer read-only keys for balance or market queries, and only enable trading permissions if you are comfortable with the agent acting on explicit instructions.