Stock Expert
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is openly for stock trading, but it can use brokerage credentials and an unreviewed local Python script to place real buy or sell orders.
Only install this if you fully trust the local kis_trade.py script and understand it may access your brokerage account and place real trades. Use least-privileged or paper-trading credentials where possible, verify every order manually, and do not configure live trading credentials unless you accept the financial risk.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad approval could result in real stock trades and financial loss.
The skill exposes a command that can place buy or sell orders using user-supplied symbol, quantity, price, and side. Although the instructions require prior user confirmation, the action can directly affect a brokerage account.
### execute_order ... 주식을 매수하거나 매도합니다 ... python "{{KIS_TRADE_SCRIPT_PATH}}" order {{symbol}} {{qty}} {{price}} {{side}}Use only with explicit per-order confirmation, clear order previews, hard trade limits, and preferably a paper-trading or read-only mode unless the user intentionally enables live trading.
The agent may gain access to private portfolio information and order-placement privileges for the configured KIS account.
The skill requires brokerage API credentials and an account number, while the registry metadata says there are no required env vars and no primary credential. This under-declares sensitive financial-account authority.
`KIS_APP_KEY`, `KIS_APP_SECRET`, `KIS_ACCOUNT_NO`: 계좌번호 (8자리-2자리)
Declare the credential requirements in metadata, document the exact permissions needed, use the least-privileged API keys available, and separate read-only balance/price access from live trading authority.
If the local script is wrong, outdated, or malicious, it could misuse credentials, return misleading account data, or execute unintended trades.
The skill depends on an external local kis_trade.py script, but the supplied package is instruction-only and provides no install spec or reviewed script. The provenance and behavior of the code that handles credentials and trading is therefore unclear.
`KIS_TRADE_SCRIPT_PATH`: `kis_trade.py` 파일이 위치한 로컬 경로 ... python "{{KIS_TRADE_SCRIPT_PATH}}"Provide the helper script in the package or a pinned, checksum-verified install source; document its behavior; and avoid running unreviewed local scripts for live financial transactions.