Sentisense
Security checks across malware telemetry and agentic risk
Overview
The visible artifacts describe a read-only financial data API skill that needs a SentiSense API key, with no code or evidence of trading, wallet, or purchase actions, though the capability labels should be verified.
This appears safe to install for read-only SentiSense market-data lookups if you are comfortable providing a SentiSense API key. Treat outputs as informational market data, not investment advice, monitor API quota usage, and do not provide wallet, trading, payment, or purchase permissions.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may send market-data queries and use API quota on the user's SentiSense account.
The skill authorizes the agent to make direct network API calls. This is expected for a read-only data API and no write, trade, or purchase operations are shown.
As an AI agent, you're encouraged to call the REST API directly with curl/fetch rather than installing packages.
Use it for intended read-only queries, monitor quota usage, and avoid broad automated polling unless the user explicitly wants it.
If the API key is exposed or reused outside this skill, someone could consume the user's quota or access data available under that account.
The skill requires a provider API key, which is normal for authenticated API access but still grants access to the user's API account and quota.
requires:\n env:\n - SENTISENSE_API_KEY ... Authentication: API key via `X-SentiSense-API-Key` header.
Store the key only as an environment variable or secret, do not paste real keys into prompts, and rotate the key if exposure is suspected.
Users could be confused about whether the skill needs wallet or purchase authority.
The provided capability labels conflict with the visible read-only/no-wallet/no-purchase description. No actual wallet or purchase instruction is shown, so this is a verification note rather than evidence of unsafe behavior.
Description: "No trading, no purchases, no write operations, no wallet access." Capability signals: "crypto", "requires-wallet", "can-make-purchases".
Do not grant wallet, payment, trading, or purchase permissions to this skill unless future artifacts clearly justify them; the publisher should correct any inaccurate capability metadata.