ClawHub

Market Data Provider

v0.1.0

Portable market data provider module for stock-report agents. Use when creating, installing, testing, or extending a provider-agnostic market data layer with...

0· 15·0 current·0 all-time
byDaniel Refahi@daniel-refahi-ikara
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, included Python package, factory, and provider adapters (eodhd and mock) are all consistent with a market-data provider. The code uses EODHD API endpoints and provides a mock backend for offline testing—these match the skill's stated goal.
Instruction Scope
SKILL.md gives focused, explicit instructions (copy into skills/, set MARKET_DATA_PROVIDER, set EODHD token if using eodhd, run smoke_test). The smoke_test and provider call external endpoints (eodhd.com). Implementation appends the API token to the query string (api_token=<token>), which can expose the token in logs or referer headers—this is a security/privacy consideration but not scope creep.
Install Mechanism
No install spec is declared (instruction-only skill). All included code is local to the skill bundle; there are no external downloads or extract steps. Release and smoke-test scripts invoke local Python; nothing is fetched from untrusted URLs.
Credentials
The provided environment variables (MARKET_DATA_PROVIDER, EODHD_API_TOKEN/EODHD_API_KEY, MARKET_DATA_TIMEOUT_SECONDS) are appropriate for a provider module. One minor inconsistency: the registry metadata lists 'Required env vars: none' whereas the module defaults to the 'eodhd' provider and will raise AuthenticationError when instantiated without an API token—so either set MARKET_DATA_PROVIDER=mock for offline use or provide a token. Also note the API token is sent in the URL query string by the EODHD adapter, which can leak tokens to logs or referers.
Persistence & Privilege
The skill does not request persistent system-wide privileges. always is false. Scripts (release.py) write only to files inside the skill (VERSION) and call local packager paths; they do not modify other skills or global agent configuration.
Assessment
This skill appears to be what it claims: a reusable market-data module with a live EODHD backend and a mock backend for testing. Before installing: 1) If you don't want the skill to call external services, set MARKET_DATA_PROVIDER=mock — otherwise the default is eodhd and the skill will attempt HTTPS calls to eodhd.com. 2) If you supply an EODHD API token, be aware the implementation places it in the URL query string (api_token=...), which may be recorded in server logs or referer headers; avoid exposing that token in shared logs or use network controls to limit leakage. 3) The release script assumes a local packager at ~/.npm-global/… — review that script before running it. 4) The registry metadata omitted required/env expectations for live mode; follow SKILL.md and references/install.md for correct environment setup. If these points are acceptable, the skill is coherent and reasonable to use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cmybvbkwh2xqj74a6f603qn84a5c2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments