ClawHub

EODHD API

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent EODHD financial-data client, but its error handling can expose the user's API token after storing it locally.

Install only if you trust this skill with an EODHD API key. Before use, update the client so api_token is removed from error results, avoid printing full error dictionaries, and protect or rotate the token if it may have been exposed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

A failed API call could cause the user's EODHD API key to appear in chat output, logs, or saved results, allowing others with access to use the key or consume paid quota.

Why it was flagged

On request failure, the client returns the full params dictionary after adding the API token, so callers that display or log the error object can expose the user's EODHD key.

Skill content
params['api_token'] = self.api_token ... return {"error": str(e), "url": url, "params": params}
Recommendation

Redact api_token from all returned errors before displaying or logging them, and report only the error message and non-sensitive request context.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Anyone or any process that can read the skill's config.json file could obtain the user's EODHD API token.

Why it was flagged

The skill asks for a third-party API credential and stores it locally. This is expected for an EODHD API client, but it is still sensitive credential handling.

Skill content
Ask the user for their EODHD API token... Write the token to the configuration file... /home/ubuntu/skills/eodhd-api/config.json
Recommendation

Use a limited-scope token if available, restrict access to the config file, and consider storing the token in a secret manager or environment variable.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

The agent may execute local scripts that make network calls using the configured API token.

Why it was flagged

The documented workflow includes generating and executing local Python scripts. This is aligned with the stated API-client purpose, but it means the agent may run code locally.

Skill content
Run the script using the `shell` tool. `python3.11 /home/ubuntu/fetch_eod.py`
Recommendation

Only run minimal, task-specific scripts, inspect generated code before execution when possible, and avoid adding unrelated file or network access.